Wireless key grabber - Backtrack 4

Printable View

Show 40 post(s) from this thread on one page

04-02-2009, 05:03 AM
Takedown32

Have a look at the History here http://www.remote-exploit.org/codes_hotspotter.html
As it seams microsoft has patched Xp since sp1 to not bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system.
So probably even the official 1.0 release of airbase will not do that!!!!:(:(
04-21-2009, 07:38 AM
flexOR

Quote:

Originally Posted by Takedown32

After editing

//virustotal url

NONE.

can you explain more exactly editing? ... you extracted exe by UniExtract and than some hex edit? ... I read about hexa edit but it was in meterpreter.exe... can you post what did you edit (line,text)?
04-21-2009, 04:01 PM
Takedown32

In this case i just edited some of the file info.(like company name version and such things)cause in this case all antivirus soft were checking only the hash of the wkv.exe

http://img205.imageshack.us/img205/9...0421163750.jpg
05-01-2009, 12:12 AM
soportec

Nice job, working very well. Let's walk one step forward!

Hi every one:

I've been testing for some time Wireless Key Harvester and it's a nice proof of concept and the functionality is wonderful. But let's walk one step further. Could we think about a mass attack with this honeypot.

Imagine that after working, the clients come in, get the site, have to download the meterpreter, and after getting reverse connection, they get released from the catch and get a transparent gateway to internet. So the could resolve dns and are gatewayted to internet. We could also begin to sniff... And we begin again with a new victim. I am maybe thinking in nocat auth, or nocat splash. Could we get adressed to this new direction.

Think about it.
05-01-2009, 12:53 AM
hm2075

yes in theory it is possible

my previous work was on getting them to execute our "payload" and allowing them to continue surfing through our gateway

you can do it manually no problem but to automate this is a bit tricky, you do it through assigned IP, have rules in place etc

it is possible through iptables, but to automate after payload execution? I don't know
05-01-2009, 07:07 AM
soportec

Automated gateway

Maybe the answer is the payload. Maybe executing some code in the payload rb to change the DNS resolver IP in the victim's side and maybe some routing rules could help.

Again the other possibility is to study the work of nocat auth (called by the developers: catch and release). I have read that it does iptables change automatically. I have worked with automatic hotspot software and it simply catches the client, waits for authentication (in this case for payload execution) and releases the client from the captive portal so he can begin to surf free. I'll try to read more about it.

In other point: Have somebody had luck with airbase -P - C probe response. I have tried with atheros and last svn and I had to return to rc2 without -P.

And as last point: Maybe use priv dump hashes in harvester.rb to get double functionality?
05-01-2009, 10:42 PM
hm2075

so far no luck with either ieee or mac drivers when it comes to -P on airbase,

although mac drivers work far better, i.e able to change channels and mac using airbase

just waiting for a new release of airbase
05-04-2009, 02:08 AM
Jimmy Kane

Hex keys .... WKG

ok .... first of all i am a newbie but i liked your post...
iwas searching for something else and i crawled up in here ...
btw i was searching for dhcp!!! Lol...
1.i run Wireless key grabber on win vista x64 and is a different version.... you should try uploading different version of wkp.exe for wink64 system
2. Ok to the point Hex numbers .... the 64 bit version of windows works like charm and shows the numbers in hex .... so it is very simple math....
how to convert them to passphrase is very easy if their are only numbers and letters .... anyway the concept is .....
subtract by group of cuples
------example 1 only numbers 64bit hexkey----
passphrase: 12345
Wireless Key Manager output: 3132333435
subtract 30 -3030303030
ans =12345
------example 2 letters and numbers 64bit hex key ---------
passphrase:A1B2C
wireless key manager output: 4131423252
sutract 30 for numbers
...and 40 for cap. letters where 1 is A ....
..or look up
caractermap...... 41-40 31-30 42-40 32-30 43-40

=A1B2C
----------------
Cheers
05-04-2009, 02:28 AM
Jimmy Kane

another mistake !!!

in your index.html you write in code ..." onClick="window.open('/windowsupdate.exe', 'download" wrong! erno //c/windowsupdate ..... could not be found ...

should use onClick="window.open('windowsupdate.exe' no ---->/
hmmmm ok ?
ok?
LoL nioce one dude though .... if your exploit works in x64 versions you can go deeper ....
i have tried it and it works but i told you the errors ...
05-30-2009, 12:26 AM
shinjuku

DUB-YA DUB-YA DUB-YA DOT virustotal DOT com/analisis/b969b0eacca72afb411f24e7939ab34f35711d2e1a7d194ba1 081f7fff38c999-1243636191

Such a shame :(

Looks really promising though

Show 40 post(s) from this thread on one page