Skip to main content

Posts

Showing posts from January, 2009

Airdecloak-ng

Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. The program works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is really important since each filter will base its analysis amongst other things on the status of the packets and different orders will give different results. Important requirement: The pcap file needs to have all packets (including beacons and al

Improvements to airbase-ng

Support was added for three new command line parameters: -P : respond to all probes, even when specifying ESSIDs -I interval : sets the beacon interval value in ms -C seconds : enables beaconing of probed ESSID values When using a list of ESSIDs, all ESSIDs will be broadcast with beacons. As extra ESSIDs are added, the beacon interval value is now adjusted based on the number of ESSIDs times the interval value (0x64 is default still). To support "fast" beaconing of a long list of ESSIDs, the -I parameter can be used to set a smaller interval. To get 0x64 interval for N beacons, set the -I parameter to 0x64/N. If this value goes below ~10 or so, the maximum injection rate will be reached and airbase-ng will not be able to reliable handle new clients. Since each card's injection rates are different, the -I parameters allows it to be tuned to a specific setup and injection speed based on the number of beacons. When using one or more

Aircrack-ng 1.0rc2

Updating is recommended, there was a lot of bug fixes and improvments and 2 new tools were added: airdecloak-ng and tkiptun-ng. On Aircrack-ng, WPA bugs should be fixed and speed was greatly improved for computers that supports SSE2. Latest version of Airgraph-ng and Airoscript were included in this release. Important note: It does not support peek drivers. Changelog: aircrack-ng: Added SSE2 supports (WPA cracking speed is improved a lot) thanks to nx5. aircrack-ng: Fixed detection of the number of CPU (especially with recent CPUs). aircrack-ng: Fixed long lasting WPA bugs: cannot find the key with SMP computers, wasn't exiting correctly, ... aircrack-ng: Fixed usage of a dictionnary with WEP. aircrack-ng: Now only display ASCII WEP keys when 100% of the hex key can be converted to ASCII. aircrack-ng: You can now specify the number of threads for cracking even if you have a non-SMP computer. aircrack-ng: Now output an error message if using -r and it wasn't compiled with sqlite

MDK3

The new MDK3 uses the osdep injection library from the www.aircrack-ng.org project. The Linux-dependant includes have been removed, mdk3 compiles and runs on FreeBSD and even Windows (Cygwin). For Windows you need special drivers, a possibly illegal DLL file and the cygwin environment. Please see the aircrack-ng website for details. MDK3 has successfully been tested on the new mac80211 stack in kernel version 2.6.23 with the rt2x00 driver and a rt73usb card. If you are a Linux user, just make, make install and have fun. If you are a FreeBSD user, do the same, and report back to me, if it works correctly there. And very important, don't forget to type mdk3 instead of mdk2 now ;) MDK3 is licenced under GPLv2. Features: - Bruteforce MAC Filters - Bruteforce hidden SSIDs (some small SSID wordlists included) - Probe networks for checking if they can hear you - intelligent Authentication-DoS to freeze APs (with checking for success) - Beacon Flooding with channel hopping (can crash NetSt

RaLink RT2570USB Enhanced Driver

RaLink RT2570USB Enhanced Driver * Prism header can be toggled via iwpriv, no automatic changes which screwed up packet captures! * MAC changing supported * Support for Fragmentation Attack Fragmentation support is now considered as stable. 1.5.0 version has some important fixes for kernel version 2.6.19 and above. For further details on the fragmentation attack see the paper from Andrea Bitteau: http://toorcon.org/2005/slides/abittau/ The serialmonkey CVS repository updated its driver from a new RaLink legacy one. Version 1.6.0 is the modification of this driver with fragmentation support, MAC changing and prism headers enabled by default. This driver seems to fix some threading, some SMP and some endianness issues. So it should be more stable than previous releases. Go get it! Version 1.6.1 works for 2.6.22 kernels and comes with some more stability improvements. AND NOW FINALLY: Version 1.6.2 with a new base version from serialmonkey CVS, all the patches from the previous version an

RaLink RT73 USB Enhanced Driver

RaLink RT73 USB Enhanced Driver * Support for Fragmentation Attack * Interface is called rausb0 instead of wlan0 to prevent some tools incorrectly detecting it as wlanng or hostap driver * Injection speed can be selected with iwconfig rate command. The default speed yet is 54 MBit. You may want to lower it to 1 MBit before injection with iwconfig rausb0 rate 1M * NEW: ToDS packets aren't dropped by the driver anymore. WPA handshake captures are finally possible! IMPORTANT! Version 3.0.0 is a new fork from the current serialmonkey CVS. It has fixes for 2.6.24 and 2.6.25 and does not need setting a MAC Address before bringing the interface up. This version includes all the enhancement of the 2.0 series of this driver. If you unplug the card while its still in use, it may crash your system. So close all applications accessing it, bring the interface down and then remove the device. IMPROVEMENT! There is a tiny extra in the 3.0.0 driver. Maybe you can find it with iwpriv ;) YOU MAY HA

Enhanced Injection driver for Intel ipw3945

This is based on a driver made for testing purposes called ipwraw. It allows raw packet Tx/Rx with the Intel PRO/Wireless 3945ABG adapter, it's raw mode only and can't be used for normal connections to the internet. ipwraw doesn't have wireless extensions, so this modification adds some to make it easier to work with programs like aircrack-ng, kismet, mdk, ... New in ipwraw-ng 2.3.4: * Added compatibility fixes for recent kernels (2.6.23 and newer) * Fixed bug when setting 5.5 Mb/s rate with iwconfig * Fixed bugs (I hope) in Makefile - it would report that old firmware versions were adequate and also had some cosmetic glitches * Added set TxPower Wireless Extension. Now TxPower can be set using iwconfig INTERFACE txpower TXPOWER (INTERFACE is normally wifi0, or eth0; TXPOWER is a the value you want to set, min=-12 and max=16) This version includes some fixes ported from ipw3945 driver. It should be more stable now... D

RT73 Wireless Driver Update Kernel 2.6.27 - better RF sensitivity

There are a considerable number of people using computers with Linux that depend on Ralink RT73 devices for wireles network access. As usage of the advanced kernels increases, legacy wireless drivers lose compatability, and require replacement. The excellent K2WRLZ drivers for Ralink wireless devices are an example, and recently they have ben made compatible with kernel 2.6.27. Follow the procedure below to upgrade the legacy RT73 wireless driver for compatibility with Debian or Slackware based systems (Sidux, Ubuntu, Slax, Bluewhite64, etc) that use kernel 2.6.27. The upgrade process consists of obtaining the source code, then compiling and installing the new driver. From start to finish, no more than fifteen minutes are required of the average person. The author is rather slow, and was successful in the upgrade; anyone who can download files and work in the Linux console (executing a few commands) should have no problem. Start by downloading the latest driver: rt73-k2wrlz-3.0.2.tar.b

Aircrack-ng 1.0rc2

Aircrack-ng 1.0rc2 is released. Updating is recommended, there was a lot of bug fixes and improvments and 2 new tools were added: airdecloak-ng and tkiptun-ng. On Aircrack-ng, WPA bugs should be fixed and speed was greatly improved for computers that supports SSE2. Latest version of Airgraph-ng and Airoscript were included in this release.

AWUS036EH 802.11g Turbo Long-Range Wireless LAN USB Adapter

The AWUS036EH Wireless USB adapter provides users to launch IEEE 802.11g wireless network at 54 Mbps in the 2.4GHz frequency, which is also compatible with IEEE 802.11b wireless devices at 11Mbps. You can configure this adapter with ad-hoc mode to connect to other 2.4GHz wireless computers or with Infrastructure mode to connect to a wireless AP or router for accessing to Internet. This adapter includes a convenient Utility for scanning available networks and saving preferred networks that users usually connected with. Security encryption can also be configured by this utility. Features : l Complies with Universal Serial Bus Rev. 1.0, 1.1 and 2.0 specifications. l High-Power 200mW for long-Range distance l High Speed transfer data rate up to 54 Mbps l Dynamic data rate scaling at 1, 2, 5.5 and 11Mbps for 802.11b and 6,9,12,18,24,36,48 and 54Mbps for 802.11g l Support turbo mode for 72 Mbps data rate l Support wireless data encryption with 64/128-bit WEP, WPA (TKIP with IEEE 802.1x) and

Nokia Field Test Display overview (Symbian app)

1.1 Information on the serving cell 1.2 More Information on the serving cell 1.3 Information on the serving cell, 1st and 2nd neigbour 1.4 Information on the 3rd, 4th and 5th neighbour 1.5 Information on the 6th, 7th and 8th neighbour 1.6 Network selection display 1.7 Current Cell Flags 1.8 TMSI, PRP, T3212 (Location Update) Timer information 1.9 Network parameters 1.10 Cipher, Hopping, DTX and IMSI stauts 1.11 Toggle DTX Mode status 1.12 Switch BTS_TEST status 1.13 Change Begaviour for barred cells 6.1 General GPRS RLC/MAC information 6.2 Uplink TBF Establishment information 6.3 GMM State information 6.4 GMM Values and non-DRX parameters 6.5 GPRS Network parameters 6.6 PCCCH parameters 6.7 Packet System information parameters 6.9 GPRS Serving Cell and neighbours 7.1 Information about active PDP contexts 1 7.2 Information about active PDP contexts 2 7.3 RLC State information 7.4 RLC parameters 7.5 RLC Data Block counters 7.6 LLC Data

ALFA AWUS036H (rtl8187) and linux kernel 2.6.28 - the ultimate ALFA driver

Notice: This tutorial is not only intended for AWUS036H or rtl8187 users, as the mac80211 stack in 2.6.28 is very nice, this tutorial should be helpful/useful for anyone with a wireless card supported by the mac80211 stack. Updates: 09/01/09 17:24CET: fixed a bug in "mac80211_2.6.28-rc8-wl_frag+ack_radiotap_2.6.28_mod.patch" please redownload (h t t p : / / astray.fragstore.net/apps/mac80211_2.6.28-rc8-wl_frag+ack_radiotap_2.6.28_mod.patch) Hey, it seems like the documentation about the Realtek 8187 chipset and aircrack-ng, as well as some of the forum posts are a bit outdated - they usually cover the r8187 driver, old mac80211 and ndiswrapper things for WPA authentication. I've been searching for a complete solution, which allows me to use the ALFA AWUS036H in monitor mode, packet injection, fragmentation attacks, aswell as authenticating with my AP using WPA or WPA2 without driver switching and other hassles, without much success. (e.g. h t t p : / / forums.remote-explo

Frontline Bluetooth Sniffer 5.6.9.0

Bluetooth Security seems to be very good compared to 802.11 problems. But most of the Bluetooth Security is based the PIN you have to enter during pairing two devices or on the link key, which is a result of it. In addition Bluetooth uses much more channels and hops frequently within the spectrum, which makes Analyzing a real pain. Sniffing raw communication without being paired is until now only available to rich companies or individuals which could buy one of the over-priced Bluetooth Sniffers. Frontline is one of the few Bluetooth Sniffer manufacturers and they sell their application together with a "special" Bluetooth sniffer ComProbe / dongle. Here are some marketing highlights from their FTS4BT product website: - Supports EDR (Enhanced Data Rate): FTS4BT is the only analyzer currently on the market to support Bluetooth v2.0 + EDR. - Finger-sized Bluetooth ComProbe: Air sniffing hardware is incredibly portable and requires no power. - Synchronized air and HCI sniffing: F

Bluetooth hacking tools

If you are planning to gain a deeper understanding of Bluetooth security, you will need a good set of tools with which to work. By familiarizing yourself with the following tools, you will not only gain a knowledge of the vulnerabilities inherent in Bluetooth-enabled devices, but you will also get a glimpse at how an attacker might exploit them. This hack highlights the essential tools, mostly for the Linux platform, that can be used to search out and hack Bluetooth-enabled devices. Discovering Bluetooth Devices BlueScanner - BlueScanner searches out for Bluetooth-enabled devices. It will try to extract as much information as possible for each newly discovered device. Download BlueScan. BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices. Download BlueSniff. BTBrowser - Bluetooth Browser is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth-enabled devices. You can browse device info

How to hack mobile phones with Bluetooth

All is explained here in the description- This is a tuturial how to hack the most mobile phones with Bluetooth with your Sony Ericsson or Nokia phone. You need a program called "Super Bluetooth Hack" (it's also called "BT Info"). You can download it on many places, such as: http://www.hack.pt.tp/ or http://rapidshare.com/files/63828767/... (there are the newest versions! It's version 1.08) or try Google (search for "BT Info" or "Super Bluetooth Hack". With the program you can do things on the other phone such as: - read SMS messages - read contacts - change profile - play ringtone (even if phone is on silent) - play songs - restart the phone - turn off the phone - restore factory settings - change ringing volume - call from the other phone (it includes all call functions like hold etc.) Notes: 1.) When connecting devices use the code 0000 2.) At start of programm on smartphones do not forget to turn on bluetooth before start of the applic

Categories of bluetooth hacking

Bluetooth hacks are categorised broadly among: Bluejacking Bluesnarfing Bluebugging Bluetoothing Bluejacking is the simplest of the four. The hacker uses it by making an attempt to send a phone contact or business card to another nearby phone. The ‘name' field of the contact can be misused by replacing it with a suggestive text so that the target device reads it as a part of intimation query displayed on its screen. This may be thought of as equivalent to spam e-mail since both are unsolicited messages displayed on recipients' end without consent, and by exploiting the inherent nature of communication. Bluesnarfing goes a step further and actually accesses or steals data like messages, calendar, phone book etc., from the target device in an unauthorised manner which includes bypassing the usual paring requirement. Here, the problem is bigger since there have been reports of the tools that use methods such as device address guessing and brute force in order to break-in, even whe

Intel Wireless Wi-Fi 5100 injection working

OS: kernel 2.6.27.10 (Ubuntu Intrepid) Card: Intel 5100AGN files: http://tinyshell.be/aircrackng/forum/index.php?action=dlattach;topic=4217.0;id=415 http://tinyshell.be/aircrackng/forum/index.php?action=dlattach;topic=4217.0;id=416 http://tinyshell.be/aircrackng/forum/index.php?action=dlattach;topic=4217.0;id=417 Get the tools and kernel source so you can recompile. "sudo apt-get install kernel-package libncurses5-dev fakeroot wget bzip2 linux-source" Go to your source directory and unpack the kernel source, and go into the source directory. "cd /usr/src" "sudo tar jxvf linux-source-2.6.27.tar.bz2" "cd linux-source-2.6.27" Copy your existing kernel configuration into the linux source folder. This allows you to keep your existing settings, but add in support for injection. "sudo cp /boot/config-`uname -r` ./.config" Take the 3 patched source files posted at the top and replace the ones in your linux source folder. "sudo mv iwl-sta.c

Magic Blue Hack v1.0: Hack Your Friend’s Phone via Bluetooth

Magic Blue Hack is a Bluetooth Hacking software for any J2ME Bluetooth hand set. By using this Software on your mobile you can hack another open bluetooth device. It may ask for permission to start Bluetooth service with another for first time. But no need to setup this software in another mobile which you want to hack. MagicBlueHack Documentation How To Setup This software only for Java MIDP-2 Bluetooth supported handsets. For some mobile no need to setup this software you can run it directly from its source where the file MagicBlueHack.jar situated & for some mobile it need to setup the file named MagicBlueHack.jar. After setup you can find it in your menu folder or where other software will found after setup. But no need to setup this software in the mobile which mobile you want to hack. How To Run First turn on Bluetooth of your handset -> then run MagicBlueHack from your handset. Then select Connect from Option menu. Wait till the massage appear “Device Search Completed”. T

Nokia Field Test

Field Test Phone ( FTD ) is a portable tool for verification, maintenance and troubleshooting of mobile networks as well as for basic cell planning tasks. Its small size and powerful testing feature make it a convenient tool for day to day monitoring of all M&VUo9_Wb GSM - GPRS / EDGE and future UMTS - WCDMA networks. what you can check with FTD phone: ? Full GSM signaling which can be visible to network operator: Information on the serving cell: - Hoping, Channel carrier number, RX level, TX power levels, Rx quality, Time Slot, Timing advance, Radio Link Timeout, C1, C2, Currently used band, Type of current channel... Information on the 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, 8th neighbours. Network selection display. System information bits for the service cell. Paging repeat period, TMSI, periodic location update. Network parameters. Ciphering, hoping DTX status and IMSI. Uplink DTX switching display. BTS-TEST carrier: lock / unlock on one BTS frequency. Toggle cell barred status. Se

How-To receive a valid Windows 7 key

Because of the overloaded Microsoft servers it can be hard to get a valid key. To get a valid key the fastest just follow these simple steps : Step 1 : Logon to http://technet.microsoft.com (click on Sign in in the upper right corner) Step 2 : Copy (Don’t CLICK IT!) one of the links below to the address bar and press enter : 32-Bit key : https://www.microsoft.com/betaexperience/scripts/gcs.aspx?Product=tn-win7-32-ww&LCID=1033 (don’t click, Copy and Paste!) 64-bit key : https://www.microsoft.com/betaexperience/scripts/gcs.aspx?Product=tn-win7-64-ww&LCID=1033 (don’t click, Copy and Paste!) Step 3 : If you receive the error below, just press F5 to refresh, if you’re being redirected then you didn’t follow the steps 1 and 2 correctly!

Mac80211

Mac80211 is the new wireless stack of the Linux kernel. It is included in the kernel since 2.6.22, but drivers are only included since 2.6.24. The following drivers use mac80211 (not all have been tested to work with aircrack-ng): acx1xx (Acx) adm8211 (ADMtek) at76_usb (Atmel) ath5k (Atheros A/B/G/Super-G) ath9k (Atheros xspaN) b43 and b43legacy (Broadcom) iwl3945 (not to be confused with ipw3945/ipwraw) iwlagn (formerly iwl4965) libertas_tf (Marvell Libertas) p54 (PrismGT in SoftMAC mode, but also supports FullMAC cards) rt2x00 (includes rt2400pci, rt2500pci, rt2500usb, rt61pci and rt73usb) rtl8180 (not to be confused with r8180 AKA r8180-sa2400, also supports RTL8185 cards) rtl8187 (not to be confused with r8187 - RTL8187B supported in 2.6.27+) zd1211rw (starting with 2.6.25) In general, these drivers will mostly work with aircrack-ng, but there may be exceptions. Here is a list of drivers (with appropriate patches) that people have reported as working successfully with the aircrack-

Download yellowsn0w

yellowsn0w iPhone 3G unlock has been released! This is yellowsn0w version 0.9 and it's still in beta so use it at your own risk. Note: You must upgrade to the latest 02.28 baseband (firmware 2.2) in order to use this unlock and also jailbreak with QuickPWN/PwnageTool and add Cydia/Installer. Here is the iPhone 3G firmware 2.2 download link: http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw You can install yellowsn0w 3G unlock by using either Cydia or Installer, whichever you prefer. Below is a list of the repos/sources. Note: The DevTeam also says that once you are done installing yellowsn0w through Cydia go back to the main menu on Cydia and restart your iPhone with the 3rd party SIM installed. Wait for the slide to unlock screen, and then wait 10-15 seconds. If you don't see your carrier name pop up you must remove your SIM, insert it again, and wait 10 seconds. (The DevTeam plans on elimintating this

Hacking internet web cameras

first go to google search website through www.google.co.in and then in the search box type:(without quotes) “inurl:/view/index.shtml” and press enter then you will get list on web cameras working on net,,, note:: if u type the ip address of the computer in place of inurl then the web camera of that computer can be hacked example:: you can type in google search as 207.111.165.30/view/index.shtml to view webcamera used at that ip address the other google search links which makes web cameras publicly viewable are: inurl:/view.shtml intitle:”Live View / - AXIS” | inurl:view/view.shtml^ inurl:ViewerFrame?Mode= inurl:ViewerFrame?Mode=Refresh inurl:axis-cgi/jpg inurl:axis-cgi/mjpg (motion-JPEG) inurl:view/indexFrame.shtml inurl:view/index.shtml inurl:view/view.shtml liveapplet intitle:”live view” intitle:axis intitle:liveapplet allintitle:”Network Camera NetworkCamera” intitle:axis intitle:”video server” intitle:liveapplet inurl:LvAppl intitle:”EvoCam” inurl:”webcam.html” intitle:”Live NetSna

Hacking Web Cameras

Hacking web cameras, or at least finding them on line and available in Google or MSN has never been easier. While companies continue to leave their security cameras open to the public, and indexable in Google or MSN, there is a lot of humor than can be obtained by watching security cameras, and any Internet connected web cam. Sony SNC-RZ30 series is a web connected camera system in use by many companies. The Google hack is here and the MSN/Live hack is here. There is a difference between the two search queries, MSN Live does not need as much information as the Google hack, but both are entertaining. Mobotix is another widely used security Internet connected web camera system. The Google hack is here, and the MSN Live hack is here. Webthru also has a simple Google hack and MSN hack to see what is happening on those systems as well. The Google hack is here, the MSN/Live hack is here. The difference between the Google and MSN/Live hacks is one of language and putting together the search q

the 0.9.1 beta yellowsn0w 3G unlock application

BASICS The unlock works exclusively with baseband 02.28.00. This baseband is provided by the latest firmware update (2.2) from Apple. You’ll need to upgrade to this release using iTunes and then use QuickPwn to activate etc. There are plenty of tutorials about this on iclarified, bigboss, and other established tutorial sites. Because it works on 02.28.00, it is available to everyone on the planet. This means we don’t need to unnecessarily expose holes in earlier basebands, which is an important concern. The application is a small daemon that is launched on boot. It injects the payload at boot and also whenever there is a baseband reset. You won’t notice anything about it other than that your third-party sim now works. It’s a small program and unobtrusive. There is no GUI (this is by design). You can add the application using the sources outlined below (coming soon). There are Cydia and Installer sources available, so use whichever you are comfortable using. yellowsn0w is complet