Hi fellow reader! *I'm still not used to writing 2011 yet!*
I know I haven't posted anything for a while until now. Life was/is busy, and what free time I had, was limited to other things. Anyway. I'm back (for now at least!).
During my "silent" period, I have still been active script wise as I've been working on "wiffy" and recently started work on "evilGrade" so expect an update soon! Afterwards I plan to complete "SITM" (Script In The Middle), and "wordlists" (After which I'll push out some new dictionaries/wordlists).
Video wise, I've had a few ideas and some people have given me suggestions – so over the next couple of weeks I'll be working on recording/editing them!
Anyway, to kick start this year I'm going to share:
- Script: "wiffy v0.2" – this is what has been done so far... (Any feedback would be welcomed!)
- Video: First of a series about using metasploit and attacking different OSs
- Update: Fixed De-ICE (Level 1 - Disk 1 & Level 1 - Disk 2) as I got confused with the numbering when creating them.
Over the last year I keep getting asked a "few" common questions, so I'm going to answer most of them, here and now...
[Q] Something along the lines of "path/file can't be found: /root/tools/wordlists/g0tmi1k.lst".
[A] This is a VERY SMALL wordlist (7-10 words) which I made so I didn't have to wait for a larger wordlist to process.
[Q] Fine. Where can I get my own wordlists from then?
[A] If you're using backtrack, depending on your version you can find a collection of them here:
- By doing a quick search on the BackTrack forums found threads by -=Xploitz=- & Huegel
- A quick Google search returned: This, [this], this and this
- Due to the size to which wordlists can grow, torrents are a popular method of sharing them, Example 1, Example 2, Example 3 and Example 4
[Q] I waited "xyz" hours; my wordlists didn't work for me. Where can I find new ones?
[A] Instead of using "general" wordlists, you can create "custom" wordlists. Check pauldotcom to understand more. A different spin on it all is to use Wikipedia to generate your lists, click here for more details. If all else fails, try crunch, and here is a tutorial on how to use it.
[Q] Okay, I found some files (e.g. wordlists) which I want to use in backtrack. How do I do them?
[A] It depends on your setup. Are you using a live version of backtrack from DVD/USB? Are you using persistent changes via HDD, USB or VM? If it's a live version, when you power off backtrack, you will lose every change that you made, so you will need to store the file(s) out of the OS. Example, copy the files to USB or burn to DVD.
If it's persistent, you'll need to make sure you have space to save them! Getting the files to the OS could be done via transferring via SSH (
start-network; dhclient eth0; setup-sshd), or why not create/download when you're using backtrack?!
[Q] Is there a faster way to capture the WPA handshake, as I waited "xyz" hours?
[A] First off, check that your setup is working correctly; check aircrack-ng and drivers are functioning as they should be. If connected client(s) are visible then try a "deauthentication" attack (either to each client and or broadcast it) else wait for a new client to connect.
If you can see clients are connected and deauthing isn't working then:
- Move closer
- Improve your signal by purchasing a better/stronger WiFi card and/or antenna (For example, ALFA Networks have a USB series which ranges from "AWUS036H 500mW" to "AWUS036NH 2000mW")
- Check you are using the same mode as the AP (A, B, G or N etc.)
You need to transmit enough power so that the packets reach and are heard by the clients. If there isn't an "ack" packet received back then chances are the client didn't receive the deauth packet.
If there isn't a connect client there isn't much you can do! You can't "FakeAuth" like with WEP, so either wait for someone else to connect or turn on a device yourself.
[Q] I've got the WPA handshake and I've waited "xyz" hours for my "abc" GB wordlist but that didn't work. What can I do next?
[Q] I've got the WPA handshake and don't want to wait "xyz" hours. Is there a quicker way?
[A] See above
[Q] I've got the WPA handshake don't want to wait "xyz" hours AND I don't want to pay.
[A] Then you need to either download or pre-calculate rainbow tables for THAT SSID. You can't use rainbow table for "SSID_A" with "SSID_B". However, it's going to take time to search and download a pre-done table, or time to create the rainbow table yourself.
[Q] Okay, I've cracked the WiFi now what?
[A] If you're asking this, it sounds a little "fishy" to me.
I would like to point out: I do not support, condone, endorse, nor promote ANY illegal services. So, what do you have permission to do?
[Q] How do I connect to a WiFi network without them knowing?
[A] See above
[Q] Can you please hack "xyz" for me?
[A] See above
[Q] Can I MITM "xyz" computers / Why is it slow for my target when I MITM?
[A] If you are on the same subnet has the target then yes, you can ARP poison them.
If the target's network speed is slow/doesn't work after doing an ARP attack is because of a "bottleneck effect" as all the traffic is being routed though the attackers PC and is unable to handle all of the data being pass though it.
There are other methods and I do plan to cover those methods but utill then, see here.
[Q] Your videos are too fast. - Okay, its not really a question - but people do comment on it!
[A] These videos are demonstrative NOT tutorial videos, meaning that they are "proof" of the attack NOT a "step-by-step-guide-how-to-tutorial". The reasoning being the idea that most people don't want to watch me type out commands – that's not fun! Watching an attack happen, well personally I find slightly more interesting!
I would like to point out, you can find all the commands that I use in the post that matches the video, as well finding download links for the video – so you can download an offline copy if you need to, which you then can pause it.
[Q] How do you create/edit your videos?
[A] I record and edit all my videos using Camtasia. Personally I've found version 6 buggy, however version 7 is ALOT better with alot of extra features. It's worth the money.
Because it's "Windows/Mac only" piece of software (and I couldn't get WINE to work with it), I run the attacker and it's target(s) in a Virtual Machine, VirtualBox.
[Q] Do you know of any software that is free/works on linux?
[A] No. Otherwise I would be using it myself. =)
If you know of any, please let me know.
[Q] What's that song in "xyz" video?
[A] At the end of each of the videos, it will say. Incase you missed it then, it's also at the bottom of each post.
...and before you ask "Can you send me it? No.
I've been made aware that my work is being spread around – which I haven't got an issue with... HOWEVER! What I do have a problem with, is that I've seen people using my (badly) coded scripts/Videos – removed my name – and posting it as their own.
I'm not going to name names, or link to them as that would just promote them ripping me off... Now... I don't mind people using my work, or even using it in their projects – but people claiming what I spend time working on as theirs – just isn't fair.
If you're crazy enough to like what I'm putting out, you can find my stuff here, on the BackTrack-Linux forum, Blip.TV and GoogleCode. Other than that, anywhere else is a mirror copy of my work =)
If you are wanting to ask a question or three, either reply in the comments, catch me on IRC (irc.freenode.net), PM me on the backtrack forum or twitter me – As always, with the username of "g0tmi1k".