online wpa cracker

[Thorn]

Quote:

Originally Posted by pureh@te

Excellent idea. I wonder if I can code the web app so that the user also has the access to delete his or her own files after wards.

I didn't see why not. You could just give them an upload area (in fact, an FTP would directory work nicely), where they have complete control over their own files. Then, the only question becomes that of backups. If you backup the server, then you might have to code a deletion for any files deleted off the server; which could be a bitch for older files, especially those in off-line and off-site storage. It would probably be better to never backup user files, and to plainly state that in the TOS.

Where do I send my bill for business consulting? Or can I get in on this as a partner?

[pureh@te]

OK well I plan to give it a shot. All the parts should be in this week and then I will need another week or 2 to get the web app together. I mean the worst that can happen is it doesn't work out for whatever reason and then I will just make it a ssh invite only box for friends. I mean like I said I don't really plan or need to make any money I would just like to pay for hosting, parts etc. so if it bombs or gets hacked I'll just discontinue the service. On the subject of back ups, since its a dedicated box only for this I planned to tar up the image right after I get it all installed and working right and then never backing it up. There would be no reason to because if anything went wrong I would rather restore it to its original state anyway. My biggest concern is people uploading malicious code in the cap files but I think I got that figured out.

[archangel.amael]

Quote:

Originally Posted by Thorn

You could vet the subscribers before issuing user credentials.

Good idea the subscription service but just out of curiosity how would you vet the subscribers? I mean at what level of privacy would you give / allow?

Also this is mainly directed to pureh@te, what about people that are outside of the U.S. Would they be able to use the service as well?

[Thorn]

Quote:

Originally Posted by archangel.amael

Good idea the subscription service but just out of curiosity how would you vet the subscribers? I mean at what level of privacy would you give / allow?

I was thinking that if pureh@te is concerned about who he is providing services to, say to comply with regulations that the given person/company is a legitimate pen tester, or was concerned that the would-be subscriber was trying to run an SE, then he might want to do some sort of vetting. It doesn't necessarily have to be very extensive, but it should be enough to CYA.

[williamc]

There are plenty of free NTLM/LM/MD5 crack sites that operate without any legal protection. As they've been online for years, I don't think there is much concern for someone coming after them. Its more or less just providing a demonstration of the insecure authentication. A WPA crack site should operate within the same realm.

My concern with using the site would be providng a companies SSID to a third party. With the LM/NTLM, I can change the account name in the hash and bounce it through a proxy so it doesn't get tied back. Your tool would not provide this security, so it would have limited useage for pen-testing. That would leave it for non work related testing, and paying 10 dollars would be cost prohibitive.

So, to summarize, I'd just release it for free with a heading of "Proof of concept - why WPA is insecure" and say your an academic researcher. Let it show up on Digg and Slashdot and get money through advertising and donations.

William

[pureh@te]

See I disagree with this because a company ESSID is broadcast in the airwaves unlike a ntlm hash user name. And with no GPS coordinates in the .cap file there would be no way of knowing where the AP was. I will take that into consideration. I would do the whole thing purely on donation but my experience with remote-exploit and our donations have left me with a pretty dim view of most of the people that download backtrack. example backtrack 3 over 4 million downloads, donations around a staggering 1500 dollars.

15000 / 4,000,000 =0.000375 per user

[streaker69]

Quote:

Originally Posted by pureh@te

See I disagree with this because a company ESSID is broadcast in the airwaves unlike a ntlm hash user name. And with no GPS coordinates in the .cap file there would be no way of knowing where the AP was. I will take that into consideration. I would do the whole thing purely on donation but my experience with remote-exploit and our donations have left me with a pretty dim view of most of the people that download backtrack. example backtrack 3 over 4 million downloads, donations around a staggering 1500 dollars.

15000 / 4,000,000 =0.000375 per user

Just to drive the point of donations or subscription services home.

My friends and I used to run a service for free and we had about 300 subscribers to the free service. We found that we were going to need to start charging for the service so we took a poll of the users and determined that $1.00/month was a fair value to charge and it would cover our expenses without us making a profit, we only wanted to cover the cost of hosting the service from our provider.

We spent a good bit of time planning it and getting a payment system setup. The day it went live, every single freetard subscriber left. So we no longer provide the service for free or for pay.

People are cheap. They expect the world for free.

[slacker_]

___lunix.izfree.com___


cracking server is not up all the time, but will reply at least once a day, about 5 minutes if online

[floyd]

Quote:

Originally Posted by slacker_

___lunix.izfree.com___


cracking server is not up all the time, but will reply at least once a day, about 5 minutes if online

When I saw this page I knew that I would never use such a service in a pentest, I can't just upload a cap file of my clients. But I would definitely use it when I would test my private network at home. Or if would be a skiddie I would use it to crack my neighbours wifi - but that's no reason to not provide such a service.

[Gitsnik]

Quote:

Originally Posted by floyd

When I saw this page I knew that I would never use such a service in a pentest, I can't just upload a cap file of my clients. But I would definitely use it when I would test my private network at home. Or if would be a skiddie I would use it to crack my neighbours wifi - but that's no reason to not provide such a service.

Not to mention it just looks like a web interface to the offensive security rainbow tables... which anyone could do... the threadmancer didn't (I think) grasp the full backstory to pureh@te's question, namely using his beast for a public service.