abstract:Okay i haven't posted any hacking stuff for a while that was worth a damn. So Weak-Net is back up and running with about 6 machines and 4 routers for pentesting. Lately I have been hacking a lot wirelessly with both encrypted networks and unencrypted networks. The encryption hacking I can do pretty damn well now, and feel like I can read a routers config with telepathy. I found a cool way to get routers to respond, that never did before, to massive amounts of fake ARP requests. (for WEP) Here's a quick howto:
http://www.zombie.el.cx/texts/hacking/pdfs/unARPable.pdfThis would be for when a router would respond to one or two ARPs and start dropping the rest while sending deauthentication packets at the MAC of the attacker.
Also, configuring Ubuntu on the stupid MacBook I have gave me a reason to make a list of dependencies for hacking tools, this article you can skim down through to the bottom for a quick list if your interested. Most of WEP cracking is down with libcrpyto and libpcap-dev.
http://www.zombie.el.cx/texts/hacking/pdfs/Macbuntu-Text.txtWEP is going to be gone soon, it's mostly replaced nowadays with any cypher of WPA or WPA2. WPA is still completely hit or miss as far as breaking the encryption. Meaning, you still need the passphrase your file to be hashed. I broke the WPA and WPA2 here at the Lab with the latest version of Cowpatty from the Church of WiFi. Yeah, they got Cowpatty to now bruteforce WPA2. - very cool. Getting the wireless card to create the 4 way handshake though was also hit or miss. either the victim client/station would drop my forged packets, or airodump-ng would show the victim get deauthed and reconnect without gathering the handshake!
I tried everything, I made sure the card was set to the BSSID of the WAP, the channel was dead on, the packets were filtered, etc.. and this method only worked %60 of the time. And since I knew my passphrase was within the dictionary file, it was cheating, but worked. Now The Church of Wifi has a rainbow table set about 35GB in size, which means you can get into any router ye wanted pretty much in your lab.
Wesside-ng:this was cool tool to play with. At first I felt dirty cos it was pretty skiddyish, but when it worked it was just sexy. My friend Tekk wrote a similar version with an older version of aircrack(before ng) and it was a Perl front end. I just wrote a cool Perl script that runs airodump-ng and greps for a certain MAC address and the Power (proximity). This could be used to "Track Down" (like the shimomura movie) a hacker that you grepped from your logs. Macchanger is a great tool, but my cards start to act funny after I change their MAC adresses.. The channels jump around, and they lose connection frequently.
Here is a Wessinde-ng video I made: (Camtasia is sexy
)
http://zombie.el.cx/images/wesside-ng.html Sniffing and MITM:I have had great success with capturing traffic wirelessly, then replaying it offline. Yeah that sounds weird, but This is what happens:
1-I make a cap file running airodump.
2-I strip the 802.11 headers off of the packets.
3-I replay the packets send them via a device like eth0 or lo to .. nowhere.
4-I sniff the traffic with tools that can only sniff through a device not over a LAN.
5-I grep for payloads from the output.
That IS fun, and you can read about it here:
http://www.zombie.el.cx/texts/hacking/pdfs/dsniffing-intro2.pdfIf you DO what to sniff across the LAN you can always do this:
http://www.zombie.el.cx/texts/hacking/pdfs/MITM.pdfWifizoo (watch this video!!!!11 XD )
If you are lucky enough to "stumble" upon an encrypted network with heavy traffic in your lab, you can test Wifizoo! Wifizoo is so amazing.. Here in this video you will see me erase ALL of my cookies from my machine. Log into my Phonelosers account with my windows machine (wireless) and then snort the cookies I had set in the windows machine from the Linux machine running wifizoo.. Its as if I simply logged into my account with the linux box and clicked "remember me" and "remember my password!"
this is my favourite video i have made so far:
http://zombie.el.cx/videos/hacking/cookie-sniffing.htmlimagine the possibilities
Linux Help:For some reason there was an issue of people not being able to mount smb shares with Linux so I wrote this, it may help - may not. Don't read it if you are familiar with the SMB protocol, it's kinda lame.
http://www.zombie.el.cx/texts/hacking/pdfs/smbshares.pdfAnd now, in conversation about hacking videos I present you my last video. Have you ever watched a screencast and thought "hey, that's a cool song.." Well, Here I show how to rip the music file from an flv. When done with avi it sounds awful and mangled. So, just sift though the html or js to find the videos exact location and wget it.
http://zombie.el.cx/images/saving-mp3.htmlI may have posted two of those videos before already im not sure. If I did, it probably didn't make a lot of sense to anyone who wasn't familiar with wireless hacking. If you ARE new to the subject well.. Here Is the biggest Introduction to the subject I have ever seen/wrote:
http://www.zombie.el.cx/texts/hacking/pdfs/WiFu-2007-trevelyn.txt (dont mind the ramblings in it)
yay! That's what I have been up to lately. my gf broke up with me i think. I found a cool energy drink called cocaine that has been so nice to me lately. (no more headaches) My christmas was completely ruined cos i was sick in bed all day. I aquired a crazy cool KVM switch I will post about later. And It's been a mild winter so far in Pittsburgh. Hope all is well with everyone and hope you all are having loads of phun hacking and phreaking!!!!!!!
<3 Trevelyn.
