Skip to main content

Posts

Showing posts from 2008

Easside-ng

Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. There are two primary papers “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey which are of interest. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers. In order to access the wireless network without knowing the WEP key is done by having the AP...

Wesside-ng

Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention. The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers. The two papers are “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers. For you trivia buffs, who knows where the program name “we...

Packetforge-ng

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection. To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.

Airtun-ng

Airtun-ng is a virtual tunnel interface creator. There are two basic functions: Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. Inject arbitrary traffic into a network. In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort. Traffic injection can be fully bidirectional if you have the full encyption key. It is outgoing unidirectional if you have the PRGA obtained via chopchop or fragmentation attacks. The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets. Airtun-ng also has repeater and tcpreplay-type functionality. There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -...

Airdecloak-ng

Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. The program works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is really important since each filter will base its analysis amongst other things on the status of the packets and different orders will give different results. Important requirement: The pcap file needs to have all packets (including beacons an...

Tkiptun-ng

Tkiptun-ng Description NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum. NOTE: The tkiptun-ng SVN version is not fully working. A working version will be released shortly. Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”. Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article Batt...

WPA wireless encryption cracked

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week. According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption. Some elements of the crack have alr...

tkiptun-ng

It is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames in a WPA TKIP network with QoS. He worked a few weeks ago with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”.

WPA Wi-Fi Security Gets Cracked; Your Network is No Longer Secure

When it came to setting up Wi-Fi networks, if you knew what you were doing you would enable WPA security. This would keep people with a small amount of knowledge from gaining access to your network, which is very easy with the much weaker WEP security. No more! WPA security has now been cracked, rendering all but the most tightly-locked networks open for hacking. Researchers by the name of Erik Tews and Martin Beck were the ones to do the cracking, finding a way to break the temporary Key Integrity Protocol (TKIP) in under 15 minutes. They haven't, however, figured out how to gain access to the data that travels between the PC and the router, so that's a plus. So what should you do to secure your network? Switch to WPA2, which is still uncracked for the time being. And if you want to be one of those marginally-skilled Wi-Fi hackers? Grab the Aircrack-ng Linux program, which has already had this new code added to it. via gizmodo.com

How to Protect Your Wi-Fi Network from the WPA Hack

WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit. The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future. via lifehacker.com

Super Bluetooth Hack 1.8

Free Download Super Bluetooth Hack 1.8 Compatible With: Alcatel: One Touch 557, One Touch 557a, One Touch 735, One Touch 756, One Touch C550, One Touch C552, One Touch C552a, One Touch C750, One Touch S853 Asus: P525 Audiovox: SMT 5600 BenQ: A520, C30, EF51, P50 BenQ-Siemens: CL71, E61, S81, S88 BlackBerry: 6220, 6230, 6280, 6720, 7100, 7100i, 7130, 7130e, 7210, 7230, 7250, 7280, 7290, 7510, 7520, 7730, 8100, 8130, 8300, 8310, 8320, 8700, 8703e, 8707, 8800, 8820, 8830 CECT: A1000 Cingular: Cingular 2125, Cingular BlackJack Dopod: Dopod 515, Dopod 557w, Dopod 565, Dopod 575, Dopod 585, Dopod 586w, Dopod 595, Dopod C720W HP: iPAQ 510 Mobile Messenger HTC: HTC MTeoR, HTC S310, HTC S620, HTC S650, HTC S710, P3400, P3450 Huawei: U526, U626 i-mate: i-mate Smartphone2, i-mate SP Jas, i-mate SP3, i-mate SP3i, i-mate SP5, i-mate SP5m, i-mate SPL I-mobile: 510 Lenovo: V800 LG: B2000, B2050, B2070, B2100, B2150, C1100, C1150, C2000, C2500, C2600, C3100, C3300, C3400, CG225, CU400, CU500, F2400, G...

Wirelessly Keyboard Hack

Wired keyboards emit electromagnetic waves, because they contain eletronic components. These eletromagnetic radiation could reveal sensitive information such as keystrokes. Although Kuhn already tagged keyboards as risky, we did not find any experiment or evidence proving or refuting the practical feasibility to remotely eavesdrop keystrokes, especially on modern keyboards. To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost. Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum. We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a di...

Arpwatch

Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also from LBL, in: ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z.

How to catch hackers on your wireless network

There are lots of tools around to help people carry out ARP-related exploits and if a malicious, Wi-Fi enabled neighbour decided to find out more about your network, this could be an effective way to do it. The good news is that there are some defences out there. The bad? They can be costly and don’t always deliver the protection you might expect. Arpdefender is a good example. It’s a solid-state security appliance that you simply connect to your network, then leave to look out for ARP poisoning attacks. It would be excellent if not for the fact that it costs almost £300 and, even if it does detect an attack, will do little more than make an entry in your system logs more via thewifihack.com

Intel Wireless Wi-Fi 5100 Card injection OK

Intel Wireless Wi-Fi 5100 Card injection test is working OK with kernel linux-2.6.27-rc7.tar.bz2, patchet with the latest iwlwifi drivers patch, wich enables packet injection for iwlagn. In order to get injection working on Intel 5100 card download the latest linux-2.6.27-rc7.tar.bz2 kernel and patch the iwlwifi driver with the diffs from the latest kernel iwlwifi driver changes from Stefanik Gábor.

Cracking WPA with GPU support

Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocol that today de-facto protects public WIFI-airspace. The project's goal is to estimate the real-world security provided by these protocols. Pyrit does not provide binary files or wordlists and does not encourage anyone to participate or engage in any harmful activity. This is a research project, not a cracking tool. Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of GPUs, this is currently by far the most powerful attack against one of the world's most used security-protocols.

Giga Password Generator

"Giga password Generat0r". It has 23 differents modes for generating almost everything, including hexadecimal and personnal charset. The script is using the crunch generator, which makes it really fast to generate. The script is still in dev, I will add more modes later so that it will cover all the possibilities, including special chars and blank spaces. The script is still in french yet, I will translate it when I will find some time. You can download the script here: Giga Password Generat0r v 1.2 (latest version with 23 generating modes)

AiroWizard 1.0 Beta revision 240

The WEP key recovering utility for Windows AiroWizard 1.0 Beta revision 240 Changes : -adapter list tab: "Check vendor" button no longer invokes the messagebox with the vendor name.The vendor's name is now under the "vendor" label.As Mister_X suggested, i transfered the mac codes text files to a database, so that clicking on the particular adapter in adapter list no longer hogs the CPU (as much...). http://airowizard.webs.com/adapters.gif -monitor mode tab: Here's something for Zermelo.If airserv-ng is not running, there's no way to run any other part of the suite dependable of airserv-ng. http://airowizard.webs.com/monitor.gif -wep crack and recovery tab: Here's something for Zermelo, again.Added the ivsools support, as well as the dictionary switch. http://airowizard.webs.com/aircrack.gif -advanced tab: As Mister_X suggested, i've added the "Usage help" button, which invokes new form with the redirected output from a program (without...

Fast-Track version 3.4

* Small change, I dynamically generate the version numbers now in menu and command line mode, before you may have noticed it said Version 3 and never changed with different versions. Now its showing the correct version numbers every update. * Changed the changelog.txt and credits.txt to CREDITS and CHANGELOG. Also modified credits to be up to date. * Fixed a bug where going to About in menu mode would cause Fast-Track to crash. * Added error handling if Fast-Track Web GUI if the port was already in use. * Removed the Shikata Ga Nai encoding from Fast-Track's SQLPWANGE, it was causing issues on some systems with corruptable executabls. * Added better cleanup in SQLPwnage to remove H2B files as soon as the conversion to binary is completed. * Added a "browse" button to the wordlist specification in sql bruter and in binary to hex generator. Before you had to manually specify the wordlist or file to convert, now you just hit the browse button and navigate to it. * Changed th...

Spoonwep2

spoonwep adds an automatic victim sniffer, presenting results of airodump in an intuitive manner http://neovortex.kodings.googlepages.com/spoonwep2.lzm demo : http://neovortex.kodings.googlepages.com/spoonwep2vid.htm INSTALLATION/UPDATE : LIVE INSTALL : copy the spoonwep2.lzm to /BT3/modules onto your usb or into your iso REAL & LIVE+CHANGES INSTALL : open a shell and type this : lzm2dir spoonwep2.lzm / you still can launch it from the command line typing : spoonwep demo: old spoonwep http://neovortex.kodings.googlepages.com/spoonwepvid.htm

Tool Spoonwpa Wpa Key

http://shamanvirtuel.googlepages.com/SWPA.lzm lzm2dir SWPA.lzm / or copy it to module folder that adds a link into kmenu in wifi/cracking or you can launch it typing spoonwpa in a shell demo: http://neovortex.kodings.googlepages.com/spoonwpavid.htm

Tool Spoonwpa Wpa Key

http://shamanvirtuel.googlepages.com/SWPA.lzm lzm2dir SWPA.lzm / or copy it to module folder that adds a link into kmenu in wifi/cracking or you can launch it typing spoonwpa in a shell demo: http://neovortex.kodings.googlepages.com/spoonwpavid.htm

Installing Backtrack 3 under VirtualBox - Part 3

29.): You can install software on Backtrack 3 and save 'Snapshots' to save your place or follow another tutorial about making any changes 'sticky' to preserve your work between boots. Go back to your "Settings" and change the "Radio Button" to finish using the Backtrack 3 installation .ISO image on your HD. 30.): See these threads for info on copying the CD/DVD-ROM .ISO image to VirtualBox's virtual HD drives so you can make changes and update your software without resorting to Snapshots to make things sticky. How to install backtrack 3 final from the shell hxxp://forums.remote-exploit.org/showthread.php?t=14751 Install BT3 live onto flash, save changes, with compiz hxxp://forums.remote-exploit.org/showthread.php?t=14812 TUTORIAL: live install with changes, swap and data partitions hxxp://forums.remote-exploit.org/showthread.php?t=7844 How to install BT3Final onto external USB HDD - Solve the Kernel Panic hxxp://forums.remote-exploit.org/showthre...

Installing Backtrack 3 under VirtualBox - Part 2

10.): In the "General", "Settings", "Advanced" tab you should do the following: Click the "Boot Order", "Floppy" checkbox to uncheck it. The "CD/DVD-ROM" should be the first boot device (for installation only). You can leave the "Boot Order", "Hard Disk" checkbox checked, you will re-order the drives later. Leave the "Extended Features", "Enable ACPI" checkbox checked. Click the "Extended Features", "Enable IO APIC" checkbox to make it checked. If you have a newer CPU then click the "Extended Features", "Enable VT-x/AMD-V" checkbox to make it checked. Click the "Extended Features", "Enable PAE/NX" checkbox to make it checked. Choose "Bidirectional" for the "Shared Clipboard" setting. Choose "PIIX4 for the "IDE Controller Type" (PIIX3 does not implement an SMBus or I2C bus). Change the "Sna...

Installing Backtrack 3 under VirtualBox

Intro: This is a Tutorial on how to install Backtrack 3 (Linux) on Windows XP so you will be able to run both Windows and Backtrack 3 (Linux) at the same time without rebooting. It is written "skiny" so you can read it on one side of the screen and install Backtrack 3 in VirtualBox on the other side of the screen. The text "hxxp://." means to use http and add "www" . In this Tutorial we will be using the free virtualization tool VirtualBox. If you have ever used VMWare then the procedure is similar but there are a few more steps (and the ability to directly access your hardware (ONLY if you have a NEW computer that supports either VT-x or AMD-V)). I have Backtrack 3 working perfectly and can boot from my harddrive, your results may be better (or worse) depending on: your computer, your "Wireless Network Adapter" driver, your choice of "Wireless Network Adapter" card and your abilities in general. It is also possible to use VirtualBox t...

Destruction Mode Charon 2 GUI

Last year we told about not so well know tool called MDK, as part of the “Cracking WEP key - Acces Point with pree-shared key (PSK” concept. Alot of time has passed by since then and now we have well workiong stable version even with GUI extension Charon. It was not much of a deal in Fall 2007, but the situation has changed. The autor has also decidedd to eneble the Destruction Mode in the menu. The extension is written in Java and is very stable. If you have not encountered the MDK tool before, it is a proof-of-concept tool from the authors of the PTW implementation in aircrack-ng (Darmstadt Lab). It tses 8 concepts of attacking wireless networks. b - Beacon Flood Mode sends beacon frames and confuses the client by creating fake APs. This is able to make AP scanning applications and devices unusable a - Authentication DoS mode sends auth frames to all APs in range. This results in freezinig or restarting devices p - Basic probing a ESSID Bruteforce mode sends probe requests to APs and...

Packet Injection wifi Intel 4965 AGN

Finally there exists a way how to solve packet injection with driver for wifi card Intel WiFi Link 4965AGN – operating system Linux. The one modified is the original driver iwlwifi (included for example in distribution Backtrack Linux). Be aware that the packet injection is functional but still it is an experimental thing (develop version). Besides the complicated compilation and occasional unstability so far (September 2008) the aireplay-ng attack -9 (t.j test injection) does not work on 100%. Tutorial for packet injection Intel Pro Wireless 4965AGN (iwl4965) What do you need: - kernel 2.6.25 or higher*, - kernel sources, - compat-wireless-2.6 packet, - aircrack-ng (=””> RC1), - basic development tools (make, gcc, …), - injection patche for driver. Be aware that the instruction is for generic Linux. Your distribution, mainly in case of advanced packet administration (Debian, Ubuntu, etc.), can include required packets in source (then you don’t have to compile it manually from so...

Sucking Data off of Cell Phones

There is a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is called the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is a self-contained module about the size of a BIC lighter. It plugs directly into most Motorola and Samsung cell phones to capture all data that they contain. More phones will be added to the list, including many from Nokia, RIM, LG and others, in the next generation, to be released shortly.

Counter measurements of FTE against copying their Bluetooth sniffer

FTE is finally reacting on the fact that you can easily copy their Comprobes firmware to other, regular Bluetooth USB dongles. First, with their new hardware they released earlier this year, also the structure of the firmware has changed. Therefore the newer firmware wont work out of the box the good old way. Second they seem to have changed their licensing policy. You have to register your software (with your license key) of FTE4BTonline. And, that’s the funny thing, seems that you also have to ‘de-register’ your software online. Means: when you want to install your software somewhere else, de-install it on the other PC and ‘de-register’ it online. Then install it on the other PC. source: http://www.evilgenius.de/

JoikuSpot Light v2.1 Beta S60v3 SymbianOS [Updated - 31st July '08]

JoikuSpot is FREE and SECURE Mobile HotSpot solution that turns Nokia phones to a WLAN HotSpot. JoikuSpot software is installed directly to the phone. When switched on, laptops and iPods can establish instant, secure and fast WLAN connection via smartphone's JoikuSpot HotSpot using phone's own 3G internet connection. Multiple devices can connect to JoikuSpot in parallel and seamlessly share the same 3G internet connection. You can use JoikuSpot to access internet e.g. on the train, car, sailing boat, summer cottage, hotel, while walking, or when at remote office...where ever you are! Release notes for JoikuSpot Light: -Landing page works with all operators -Encryption support with WEP including 128bit key generator -Battery threshold shutting down the client when battery level is too low -Default Access point setting -Support for secure SSH tunnels with Putty -MapSpot 1.0 support for GPS HotSpot location identification with external mapping services such as Google Maps All sett...

FTD FieldTest NetMonitor S60v3 SymbianOS9.1/9.2

Description: FTD is netmonitoring mobile network application mobile devices. Full GSM signaling which can be visible to network operator: Information on the serving cell: - Hoping, Channel carrier number, RX level, TX power levels, Rx quality, Time Slot, Timing advance, Radio Link Timeout, C1, C2, Currently used band, Type of current channel... Information on the 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, 8th neighbours. Network selection display. System information bits for the service cell. Paging repeat period, TMSI, periodic location update. Network parameters. Ciphering, hoping DTX status and IMSI. Uplink DTX switching display. BTS-TEST carrier: lock / unlock on one BTS frequency. Toggle cell barred status. Select which band to use: GSM 900 - GSM 1800 - GSM 1900 Full GPRS signaling displays: Information on the current GPRS state and previous TBF configuration: - Hoping, Channel carrier number, RX level, Timing advance, Downlink time slot, Uplink time slot, Channel coding scheme downlink/u...

Nokia Energy Profiler 1.1

Nokia Energy Profiler is a stand-alone test and measurement application for S60 3rd Edition, Feature Pack 1 devices (and onwards). The application allows developers to test and monitor their application’s energy usage in real time in the target device. The application is available as a SIS package for S60 3rd Edition devices, but measurement works only in S60 3rd Edition, Feature Pack 1 (or newer). Older devices can still view files. This view shows the cellular signal levels as RX and TX levels. RX level corresponds to the power of the received cellular signal. TX level refers to the transmission power from the cellular radio. Both measures are in dBm. TX levels show up only during active transmission periods (voice or data). RX levels are available whenever connected to a cellular network. This means there is no RX level in the Offline phone profile. Average/instant bar values are for the selected signal that is shown in the corner indicator. You can toggle the chosen signal with the...

Tutorial on using downloaded WPA_PSK rainbow tables with airolib

First I obtained the 33gig rainbow table from renderlab.net/projects/WPA-tables A 7 gig table is also available but i opted for larger table took me 4 days. Please keep in mind while doing all this decompression this is a 33 gig file so you need alot of space so I hope you are working with a 250gig hard drive like i am. When file is downloaded you get wpa_psk-h1kari_renderman.tar.lzma first you have to extract the .lzma portion first i used 7zip sdk version on windows. After downloading 7zip lzma version i put in C:/ root directory then pull up a dos prompt cd point it to your 7zip lzma folder. llzma.exe d "folder of the wpa_psk-h1kari_renderman.tar.lzma file"] after file has been decompressed you will be let with wpa_psk-h1kari_renderman.tar] Now you have to decompress the .tar you can do this on you linux box but i did mine on my windows box with peazip. I opened peazip and extracted the .tar and the end of the extraction you will have 9 folders these folders contain the pr...

ssldump

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. ssldump 0.9b3 The current version is 0.9b3 ssldump 0.9b3 contains a number of fixes and enhancements over 0.9b2, including. Security fix: some potential over and underflows Added support for VLANs. Added -P flag to disable promiscuous mode. Fixed bugs in the TCP reassembly code. A lot of bug fixes.

Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.

Before reading on this guide is for educational purposes only. I take no responsibility from what people do with this info. First thing is to get fragrouter. I don't know if you can use other tools provided with the backtrack, there are 100 ways to skin a cat and this is just my way. http://packetstormsecurity.nl/UNIX/IDS/nidsbench/fragrouter.html There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding. We do this with this command : Code: fragrouter -B1Squash that window and put it to one side. Now open another shell and we will start dnsspoof with this command Code: dnsspoof -i ath0 (or whatever network interface you are using)Again put that window to one side and lets load up webmitm. Webmitm will issue our ssl cert to the victim so we can decrypt the traffic we capture. Start webmitm by typing Code: webmitm -dNow we can start the arp spoof. To start ettercap type Code: ettercap -T -M arp:remote /router addy/ /victim a...

Mdk3 Secret Destruction Mode

It's a combination of different attacks. Cisco still has a bunch of support tickets running. Their Intrusion Detection System crashed because of this special attack. And with the IDS the routing tables at the whole university got mixed up for about half an hour. So, TRY THIS AT HOME, but not anywhere else. The combination is: - Running beacon flood mode to generate fake APs with the same name as your victim - Auth-DoS the original AP with intelligent mode - Use the amok mode to kick the clients And for the next version of mdk3 - Use the upcoming WIDS confusion mode to cross-connect kicked clients to real and fake APs making all security systems go FUBAR. In this 802.11-hell, there should be nobody able to access the network. Because: -> They get kicked when they connect (Amok mode) -> They will see thousands of APs, unable to know which is the one to connect, thus they are just trying around blindly (beacon flood) -> The original AP may be too busy to handle the real clien...
Fake Shared Key Authentication This is world's first fully functional code to enable fake authentication on networks using Shared Key Authentication. You do NOT need to know the key to authenticate, all you need is a keystream that has been chopped with aireplay-ng's chopchop attack. Hirte, another developer from the aircrack-ng community successfully included this code into the aircrack suite. Fixed in Version 0.2: - Show error when network does not use Shared Key Authentication - Get Capability Field from Beacon Frame. (Using the standard capabilities failed for some APs) ska-0.2.tar.bz2 ska-0.1.tar.bz2 Fragmentation Attack And another world premiere from me. First implementation of the Fragmentation Attack on Linux. This attack needs a special driver and card, that is able to handle the IEEE802.11 fragmentation correctly, your driver may not work or may need to be updated/modified. The output of this tool is a file in the aircrack-ng keystream format (.xor). The output can b...

Enhanced Injection driver for Intel ipw3945

This is based on a driver made for testing purposes called ipwraw. It allows raw packet Tx/Rx with the Intel PRO/Wireless 3945ABG adapter, it's raw mode only and can't be used for normal connections to the internet. ipwraw doesn't have wireless extensions, so this modification adds some to make it easier to work with programs like aircrack-ng, kismet, mdk, ... New in ipwraw-ng 2.3.4: * Added compatibility fixes for recent kernels (2.6.23 and newer) * Fixed bug when setting 5.5 Mb/s rate with iwconfig * Fixed bugs (I hope) in Makefile - it would report that old firmware versions were adequate and also had some cosmetic glitches * Added set TxPower Wireless Extension. Now TxPower can be set using iwconfig INTERFACE txpower TXPOWER (INTERFACE is normally wifi0, or eth0; TXPOWER is a the value you want to set, min=-12 and max=16) This version includes some fixes ported from ipw3945 driver. It should be more stable now... D...

RaLink RT73 USB Enhanced Driver

* Support for Fragmentation Attack * Interface is called rausb0 instead of wlan0 to prevent some tools incorrectly detecting it as wlanng or hostap driver * Injection speed can be selected with iwconfig rate command. The default speed yet is 54 MBit. You may want to lower it to 1 MBit before injection with iwconfig rausb0 rate 1M * NEW: ToDS packets aren't dropped by the driver anymore. WPA handshake captures are finally possible! IMPORTANT! Version 3.0.0 is a new fork from the current serialmonkey CVS. It has fixes for 2.6.24 and 2.6.25 and does not need setting a MAC Address before bringing the interface up. This version includes all the enhancement of the 2.0 series of this driver. If you unplug the card while its still in use, it may crash your system. So close all applications accessing it, bring the interface down and then remove the device. IMPROVEMENT! There is a tiny extra in the 3.0.0 driver. Maybe you can find it with iwpriv ;) YOU MAY HAVE WAITED FOR THIS: Version 3.0....

RaLink RT2570USB Enhanced Driver

* Prism header can be toggled via iwpriv, no automatic changes which screwed up packet captures! * MAC changing supported * Support for Fragmentation Attack Fragmentation support is now considered as stable. 1.5.0 version has some important fixes for kernel version 2.6.19 and above. For further details on the fragmentation attack see the paper from Andrea Bitteau: http://toorcon.org/2005/slides/abittau/ The serialmonkey CVS repository updated its driver from a new RaLink legacy one. Version 1.6.0 is the modification of this driver with fragmentation support, MAC changing and prism headers enabled by default. This driver seems to fix some threading, some SMP and some endianness issues. So it should be more stable than previous releases. Go get it! Version 1.6.1 works for 2.6.22 kernels and comes with some more stability improvements. AND NOW FINALLY: Version 1.6.2 with a new base version from serialmonkey CVS, all the patches from the previous version and support for 2.6.26 kernel:

MDK3

The new MDK3 uses the osdep injection library from the www.aircrack-ng.org project. The Linux-dependant includes have been removed, mdk3 compiles and runs on FreeBSD and even Windows (Cygwin). For Windows you need special drivers, a possibly illegal DLL file and the cygwin environment. Please see the aircrack-ng website for details. MDK3 has successfully been tested on the new mac80211 stack in kernel version 2.6.23 with the rt2x00 driver and a rt73usb card. If you are a Linux user, just make, make install and have fun. If you are a FreeBSD user, do the same, and report back to me, if it works correctly there. And very important, don't forget to type mdk3 instead of mdk2 now ;) MDK3 is licenced under GPLv2. Features: - Bruteforce MAC Filters - Bruteforce hidden SSIDs (some small SSID wordlists included) - Probe networks for checking if they can hear you - intelligent Authentication-DoS to freeze APs (with checking for success) - Beacon Flooding with channel hopping (can crash NetSt...

Catchme-ng and default-ng

Version 0.9 available! Download version 0.9 to test it out!! To install do: (run airodump-ng first) 1. unzip catchme-ng0-9.zip 2. cd catchme-ng/ 3. perl catchme-ng Dependencies 1. Aircrack-ng 2. cat, grep, UNIX commands. 3. sox (the audio player) 4. root access. It's a pretty simple concept it sequentially cats and greps the piped output for a user defined MAC address. So like If you were in a big city searching for a WiFu hacker while cruising around wardriving, or simply searching for a certain AP In a massive sea of AP's, you can certainly use this tool! Once the MAC string is found, Catchme-ng will notify you immediately with the blast of a siren. So turn up the volume or use headphones and catchme-ng!

Spoon WEP for Noobs(those who Wish to be Lazy in Wifi)

SpoonWEP this tool is in BackTrack 3 and It Cracks WEP key in Few Clicks ,then i thaught this will help for Noobs ,who are unable to Crack WEP, SpoonWEP for Noobs This Video tutorial shows How to Decrypt WEP using SpoonWEP tool in BT3 Thanks to Shamanvirtuel who created This Tool . Note: we will be doing client less Attack using Fragmentation Attack Technique 1) Make sure that ur Wifi card is in Monitor Mode if u dont how to do this see below wlanconfig ath0 create wlandev wifi0 wlanmode monitor 2) airodump-ng ath0 3) Choose the AccessPoint(AP) u want to Decrypt WEP and Remember the Channel 4) Then copy the AP MAC address 5) Then Run SpoonWEP tool 6)In Victim MAC Paste the AP MAC Address. 7)Choose ur Network Card & my Interface is ATH0 8)Set the AP Channel Number 9) Set the Injection rate to maxium 10)Use Fragmentation and Forge Attack 11)Use 128 Bits key Length 12)Click launch wait for few Minutes u have Decrypted 128 Bit WEP key

Dump RAM from a USB stick

A short while back, researchers at Princeton University published a detailed research paper in which they discussed the process of recovering encryption keys out of computer memory (RAM) after a cold boot. The researchers successfully recovered encryptions keys for popular disk encryption systems such as BitLocker, dm-crypt and developed new algorithms for finding such keys in memory images. msramdmp is a bootable syslinux USB stick that manages to boot itself without overwriting the contents of RAM. This allows msramdmp to dump the contents of RAM to the USB stick for information gathering purposes. Those who can’t boot from a USB device can use the bootable ISO version.

Airspan: 5.4 GHz WiMAX FCC Certified

Airspan Networks, a leading provider of WiMAX gear, today announced that it has received FCC certification for 5.4 GHz WiMAX equipment. The certification covers Airspan’s MicroMAX Base Station as well as Airspan’s subscriber terminals, the ProST and EasyST. Airspan has deployed 5.4 GHz WiMAX internationally for some time, but this certification makes it the first such WiMAX product in the US. Airspan says the solution can be integrated with VoIP and WiFi extensions and incorporates Airspan’s proprietary interference mitigating software. “Airspan is aggressively pursuing a leading role in the US WiMAX market. The most comprehensive range of compelling products, paired with key strategic partnerships, has resulted in an impressive series of account wins in the US this year,” commented Declan Byrne, Airspan’s Chief Marketing Officer. “This new FCC certification provides another vehicle to help Airspan continue our course and drive additional revenues from this growing market.”

Security Researchers Claim To Hack GSM Calls; The creators of the in-development technology say they'll be able to crack GSM encryption with only abou

Security researchers presenting Wednesday at the Black Hat D.C. conference in Washington, D.C., demonstrated technology in development that they say will be able to greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking placeon GSM networks. Many mobile operators worldwide use GSM networks, including T-Mobile and AT&T in the United States. The 64-bit encryption method used by GSM, known as A5/1, was first cracked in theory about 10 years. The security of the most widely used standard in the world for transmitting mobile phone calls is dangerously flawed, putting privacy and data at risk, two researchers warned at the Black Hat conference in Europe last week. Researchers David Hulton and Steve Muller showed at Black Hat in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment a...