Skip to main content

Posts

Showing posts from June, 2008

Destruction Mode with Charon 2 GUI

Last year we told about not so well know tool called MDK, as part of the "Cracking WEP key - Acces Point with pree-shared key (PSK" concept. Alot of time has passed by since then and now we have well workiong stable version even with GUI extension Charon. It was not much of a deal in Fall 2007, but the situation has changed. The autor has also decidedd to eneble the Destruction Mode in the menu. The extension is written in Java and is very stable. If you have not encountered the MDK tool before, it is a proof-of-concept tool from the authors of the PTW implementation in aircrack-ng (Darmstadt Lab). It tses 8 concepts of attacking wireless networks. b - Beacon Flood Mode sends beacon frames and confuses the client by creating fake APs. This is able to make AP scanning applications and devices unusable a - Authentication DoS mode sends auth frames to all APs in range. This results in freezinig or restarting devices p - Basic probing a ESSID Bruteforce mode sends probe requests ...

Aircrack-ng 1.0 rc1

Important note: It does not support peek drivers. Changelog: airbase-ng: Multi-purpose tool aimed at attacking clients as opposed to the AP. airbase-ng: Added replay tool for external packet processing feature. aircrack-ng: Fixed: Displaying twice the wep key at the end and "Warning: Previous crack is still running". aircrack-ng: Fixed detection of WPA handshake (was not working correctly in previous release). aircrack-ng: Fixed PTW attack against QoS and WDS packets. aircrack-ng: Added oneshot option to try PTW only once. airodump-ng: Fixed channel numbers (Fixed "fixed channel" messages). airodump-ng: Added frequency selection (-C). aireplay-ng: Fixed injection on OpenBSD. aireplay-ng: Fixed a rtc bug which freezed aireplay-ng in case /dev/rtc0 is not available. aireplay-ng: Fixed chopchop attack against QoS packets. aireplay-ng: Added Caffe-Latte attack. aireplay-ng: Added CFrag attack: Turns every IP and ARP packet into an ARP request against the client. airtun-...

BackTrack 3 Final - Release Information

It's finally happening....BackTrack 3 Final is being released....Finally! Max, Martin and I have slaved for weeks and months, together with the help of many remote-exploit'ers to bring you this fine release. As usual, this version overshadows the previous ones with extra cool things. Saint SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year. Maltego The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack. Nessus Tenable would not allow for redistribution of Nessus. Kernel 2.6.21.5. Yes, yes, stop whining....We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want ...

Tutorial: Using frontline comprobe to crack a link key exchange

you will need the following... one or two bluetooth enabled devices frontline comprobe A regular bluetooth device (for getting macs) a copy of frontline.c openciphers btpincrack First thing is to setup your lab. Lets get the bluetooth hardware and services started. Code: hciconfig hci0 up hciconfig hci1 up bash /etc/rc.d/rc.bluetooth startYou an check everything is running correctly by issuing the hciconfig command. Code: hciconfigOk now we are ready to setup frontline.c. Now I have had some trouble with the frontline source code and my frontline comprobe. I am using the airsniffer47-bc04 and it seems the packet shift is double than set in frontline.c ??? I'm keen to find out whats going on and have asked the powers that be to look into this and they have asked me to try a couple of things. One suggestion is to change FP_TYPE_SHIFT to 2 but it still has the same results. For now you will have to check it out for yourself, but if possible please could somebody try frontline.c with a...

The OpenCiphers Project

This sourceforge project is dedicated to exploring the uses of ASICs, FPGAs and other forms of programmable hardware with modern cryptography. Currently the project is headed by David Hulton through work that he is doing which is funded by Pico Computing, Inc. All of the cores and software provided are licensed under the BSD License and are primarily optimized for Pico's hardware platforms but can be easily adapted for any FPGA based systems. All of the performance specs and information provided is based off the Pico E-12 LO card which utilizes a Virtex-4 LX25 FPGA. 1/31/07 - OpenCiphers Official Release v0.1 added I've finally got around to packaging together all of the finished projects available on openciphers so I figured I'd finally provide an official release. This tarball includes our Linux 2.6 driver for the Pico E-12, bit files which run the specific algorithms for the projects, the host source code, and additional features. Some improvements include automatically...

bluetooth stacks insecurely saving linkkeys

Bluez - 2.x 3.x The keystore resides in /var/lib/bluetooth/ /linkkeys where is the device address of the machine running Bluez. The linkkeys file format is . Unencrypted. # cat > linkkeys 00:04:3E:65:A1:C8 AA0F3125267C236E10B145F1DF5BA7D7 2 Bluesoleil v.5.0.5.178 %WINDIR%/system32/REMOTEDEVICE.INI Unencrypted. [5C:DA:12:E0:1E:20] relation=0000 link_key=4DAC6F9E0C6700A5E9C44BF7529EF23C dev_class=0×0050020C name=Joe Widcomm 6.0.1.5300 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys There are keys under there that correspond with Mac addresses. Unencrypted. via

Aircrack-ng 1.0 rc1

Important note: It does not support peek drivers. Changelog: airbase-ng: Multi-purpose tool aimed at attacking clients as opposed to the AP. airbase-ng: Added replay tool for external packet processing feature. aircrack-ng: Fixed: Displaying twice the wep key at the end and "Warning: Previous crack is still running". aircrack-ng: Fixed detection of WPA handshake (was not working correctly in previous release). aircrack-ng: Fixed PTW attack against QoS and WDS packets. aircrack-ng: Added oneshot option to try PTW only once. airodump-ng: Fixed channel numbers (Fixed "fixed channel" messages). airodump-ng: Added frequency selection (-C). aireplay-ng: Fixed injection on OpenBSD. aireplay-ng: Fixed a rtc bug which freezed aireplay-ng in case /dev/rtc0 is not available. aireplay-ng: Fixed chopchop attack against QoS packets. aireplay-ng: Added Caffe-Latte attack. aireplay-ng: Added CFrag attack: Turns every IP and ARP packet into an ARP request against the client. airtun-...

Barbelo: Re-released on 01/06/08 to support pre-FP1 phones (e.g., e65)

Barbelo is a wireless (WiFi) security related toolset for Symbian S60 v3. It currently supports, in a primitive form: Standart netstumbler/kismet like functionality. GPS support to map networks. Logging in Kismet (XML) format. All testing was done on a Nokia N95 8GB. Another phone that works is Nokia E51. Notes It seems that the wifi card on phones and Symbian are quite capable, if you know the right API. JoikuSpot is an app that turns your phone into an access point. Perhaps Symbian allows applications to do raw 802.11 networking. If so, coding aircrack-like apps is possible. Ideally, IP-over-DNS would be implemented like a "vpn". That is, all traffic from the phone passes to the application, and the application tunnels it over DNS. This requires Symbian to have something like UNIX's tap interface. If it doesn't though, we can code IP-over-DNS by setting the web proxy of the browser to 127.0.0.1 and faking a proxy in the application. This will forward only web traffi...

Update: Barbelo v0.3 [ 31/05/08 ]

Barbelo is a wireless (WiFi) security related toolset for Symbian S60 v3. It currently supports, in a primitive form: Standard netstumbler/kismet like functionality. GPS support to map networks. Logging in Kismet (XML) format. Usage If you want GPS support, start GPSd prior to Barbelo. You can select a network in the scan/map tab by pressing up or down. You can view the details of a network in the scan/map tab by "clicking" on it (pressing "fire" key between arrows on N95). You can zoom in/out in map view by pressing hash/star respectively. Logs go into e:\barbelo\logs.

New Barbelo v0.3

Barbelo is a wireless (WiFi) security related toolset for Symbian S60 v3. It currently supports, in a primitive form: Standart netstumbler/kismet like functionality. GPS support to map networks. Logging in Kismet (XML) format. Barbelo releases: barbelo-v0.3.sisx (31/05/08).