joeypesci

So, you're pen-testing and get onto a WEP secured WIFI network. You logon to the router and find they appear to now register machines that are on the network, yours is one of those now registered on it. So if the user was to check the router later, they'd see the unauthorised device that had connected. BTHomeHub2 does this and so does the O2 router. Is there away to hide from this? Been testing on my old Linksys AP which I don't believe does it. Although does have a log feature that I can put in a log monitor but don't bother.

Kinda got it working in Windows with it's own software although seems a bit flaky the software that is. Works fine in Backtrack 4 managed to crack my test WEP AP on my network after following a guide. Need to work out what each command is actually doing now.

Was doing that but keep getting the message when I click Apply.

IP's start from 10.0.0.1 as they are easy to remember :) subnet is 255.255.255.0 I've disabled everything on the laptop now bar the wifi and it's still saying it.

I keep getting this. I can't understand why. I've done what it says here http://www.erasparsa.com/configuring-cain-...ess-lan-adapter Any ideas? Thanks

Someone at work mentioned in the Windows 7 EULA that it says you can put it on up to 3 machines on the same property as long as only one machine is using it at one time. Don't know if he was talking bollards or not.

Right the Alfa Awus036h as turned up. Call me stupid but how to I go about using it with Windows, XP and Win 7? The reason I ask is I've connected it up and installed it on the test laptop. It's started to pick up local AP's. I follow the wizard in it's software to try and connect to one and even though I've given the correct key and I know the AP is giving out DHCP, it never properly connects. Gets in a loop trying to get an IP and then eventually seems to lose connection and then rescans again. I'm gonna keep trying and try it on another laptop.

Yes unfortunately it is, even though you're not making money or a profit from it. However, they don't really notice or don't bother to blacklist the key if lets say 3 machines have been activated with the same key. If that key gets activate shit loads of times, then they know it's in the black market to black list it. There will be no shitstorm. They'll just black list the key and you'll get a message on next update that your OS is a pirate copy and to buy a genuine licence. OEM licences though are suppose to be tired to the mobo. So if you upgrade the mobo you need to get a new licence. Like I said before, but fuck doing that, it would be to experience and a fucking stupid rule. It's like my Technet subscription. I wanted to setup a domain etc at home with genuine keys for testing and just to keep it running for months to play etc. To learn. Once I've finished testing I suppose to stop using the keys. But I won't. But they'll only ever be available to me, I won't give them out to anyone and because of that, MS seemingly don't bother to inforce the rule that they are suppose to only be for testing. They won't know as some companies test systems for years. If those keys got out into the wild though and were activated thousands of times, then they'd take notice and block list all my keys more than likely. Anyway, enough rambling :) (I haven't checked it over so might not make sense :) )

Yeah but I think what is happening is, as soon as you press enter, it's removing the S. Also in the settings section, when it asks you to confirm the password, I wonder if that password box that pops up is classed as a new session of IE/Firefox that is just running http

Tried all above now. Wireshark did pick it up as well and imported the pcap into Miner as it does all the filtering :) Looking back at my vids I did notice some of them appear to have the https but then when you put in your details Twitter is dropping the s. I've done a test as you suggested and changed the http to https before typing in the password but it makes no difference. Wireshark and miner are still picking up the passwords. So it does seem that Twitter are sending the passwords in plain text.

Only problem is OEM is tired to the motherboard legally so once the mobo changes you're suppose to get a new licence. As if anyone does :) Only problem with the OEM stickers is all those keys are deactivated for online activation. You'll have to call MS to get it reactivated. Try it out as you may get lucky but it will probably tell you, you need to call MS to activate it. (Only know as tried some OEM's on bottom of laptops from work, because we wipe ours and reimage so all those Vista keys were going to waste. Once I looked into why the code wouldn't work I found the above.) May be able to go through the phone automation, I never tried so don't know if it works.

Does it in IE as well. My very first YouTube vids :) http://www.youtube.com/watch?v=177qSf1VcWg and http://www.youtube.com/watch?v=2brI4dy3gdc

Fuck me the whole system is flawed. I'm not sure if it's Twitter or the way Firefox is handling it as I haven't tested in IE. I tried again and it didn't sniff it, then the 2nd attempt it did. However, I also went to change the password of the actual account and just decided to monitor it on the off chance. And guess want. It sniffs that as well. NetworkMiner however, in the credentials field, shows the old password in the password field, and in the username field shows the new password. I assume this still means both passwords are being sent unencrypted. On that note, I'd never use Twitter on a public shared connection ever again :)

Tried to find an easy way to contact Twitter but they make it so awkward that I gave up looking.

So I'm on the crap 3 network in the UK for my E71. Coming to the end of my contract so ask the knob jockeys to unlock it, which they said they'd do. They give me a code and it fails. They give me another code and it fails again. They ask me to try again and it fails again now perma locking the phone to the 3 network (convenient considering my contract with them is expiring, bastards). I had told them I wanted to leave 3 at the end of the contract because their service is so shit. They blame Nokia for supplying them with non working codes. So I ask them what are they going to do about it, replace the phone? No, nothing, they are going to do fuck all. So I'm left with a phone that is now perma locked to 3. Does anyone know a way to unlock it without taking it to a local unofficial unlocking shop (I asked in the 3 store and they said they don't do that sort of thing and to call customer services. Which I told them I'd already done.). I'd rather not take it to an unofficial shop as you never know if they are going to clone it when they take down the IMEI number.

Account settings. You go in and change stuff like unticking the box so people can't find you via your e-mail address on Twitter, stuff like that. Just Twitters settings. It then asks you to put in your password again before it accepts any changes (their security message). And it's that password box that pops up that isn't encrypted. And no it wasn't a phishing attack someone had done on me :) Just odd that the main login is encrypted but clearly this so called added security, isn't.

http://www.vitamindinc.com/store/pricing.php Vitamin d is free for one camera. Have it installed on my server watching the door. Any movement and it starts recording. Turned off now but was just seeing what it could do. Seems useful. I've always thought about a camera setup in the home, however I'd want to go the hole hog. In the UK I think you have to, for legal reasons have CCTV in Operation sign outside the house (I think this is because not being allowed to film in secret. However, I've read this is a misconception and you can film secretly in the UK, without warning signs and it can still be used as evidence. Obviously would need to check with someone in the legal field. Was mentioned over at moneysavingexpert.com forum by someone legal I think.) Anyway, what I mean by whole hog is I'd want to do what was done in the film Heist. That is, the PC or system recording the video footage would be in it's own steal cage locked. To stop the person robbing the very CCTV system that is recording them. But I think this is why I mentioned above, that if you film it without warning, hidden with no signs. Then they probably won't bother to look for the system to take the taps. I'd also have cameras at eye level instead of high up as most people tend to have hoods or caps on. Covering their face. I do know of a story, was on Crime Watch UK I believe, of a farmer who'd setup a camera to record his home as I think he'd been robbed. And he caught the fuckers on tape. They turned out to be two Pikie kids. He just used a normal camcorder hidden on a shelf. EDIT- Appears the CCTV in operation signs are a choice and aren't required. (For the UK) http://cms.met.police.uk/met/content/downl...le/CCTVhome.pdf

True :) Many a time I sat at a users PC at work googling the issue. They'd be amazed when I'd fix their PC asking me how I remember it all etc. I said "Some of it I don't. As you can see I just use Google" :) or I'd RDP to my desk machine and check my notes.

As a total noob on hacking, I learn tiny amounts as I go along. Looking at Man In The Middle attacks at the moment, but waiting for some kit to arrive to do it on my own network. While waiting, I just decided to run NetworkMiner recommended on a Hak5 episode. Bored tonight so got it running while surfing the net. Logged into Twitter and check the Credentials field in NetworkMiner. As suspected it's protected so no user name or password was picked up. However, going into my twitter settings and changing my e-mail settings it asked me to re-enter the password for security as it does. Did that, then check NetworkMiner again and low and behold, it appears that password boxes isn't protected at all as NetworkMiner picked up the password that time. Just thought it was a bit interesting :)

Thanks. Well I'll save the cable in case it's useful for something else maybe. So would this work straight off without having to do any wiring? (although maybe I should do the wiring so I can learn) http://cgi.ebay.co.uk/USB-to-TTL-Serial-Ca...336ab36ffc0d718 Sorry for all the questions.

Does have the big lump on the PC end and the USB plug has an adapter port on it I assume to add power to it if it's under powered? The other end I've opened up and it said Rating 5.3v = 350mA inside it looks like this

Will keep that in mind thanks. How do you know what USB cable to use? I have found an old Logitech IO Personal Digital Pen I no longer want so am binning it. However the cradle for it is USB. How would I find out if I could use this as a serial cable?

And Kon Boot-Seems to work well for getting past the local admin account on Windows machines. I'm interested in all this security but most of it appears too complicated for me so I get confused easy and then lose interest. Practice I guess is the way to go. From the little knowledge I know, you could setup a VM of an XP machine and/or Server machine and try and break in, once you have some knowledge. In IT what I really like is when I know an area enough that I can use my experience to work out a solution to an issue and not have to look back at my notes. When I have to keep looking back at my notes it becomes a bit annoying. This happens with IT security. I only know the basics to get round some minor systems, none impressive at all. My point is, I think it will get easier, once you're in a roll and doing it every day as a job.

What, the cables for the serial cable part you recommended on your site? I may take you up on that offer if I run into issues with this Nokia one :)

I'll have a look thanks. I have the Fon+ Says 2201C on the bottom.