Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 56

Thread: Bruteforce attack useless

  1. #11
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    my initial idea was to just dump specific info, but like you said it is a pain trying to find what you want,

    then I looked into karmetasploit and thought why dont we do this

    create a fake ap using airbase-ng, user is redirected to exploitable page and the exploits run in iframes, we dump the whole registry.

    and then search the registry in our own time, we can be prepared next time by having the wpa keys, and as you said all sorts of other vital information

    now what we need is a single universal way of uploading a payload, my guess would be to create something on the redirected page

  2. #12
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by woistfred View Post
    mhh... you're thinking of some javascript / activeX payload in order to even succeed with fully patched systems , don't you ?
    or if that is too difficult then a page that says please re-enter your wpa key

    but thats been done before

  3. #13
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Just being mucking around with dlink and dse wireless third party uilitys and they are in the same area.
    Just looked up how to read the reg in C, so I will try and write a exe that can be uploaded with metasploit and excuted, the program would read about 10 key folders and send it out a socket(connect using nc on bt to say port 6000) and display the strings etc. I think most av don't detect programs that use that function, just the order and stuff.

  4. #14
    Member Mortifix's Avatar
    Join Date
    Nov 2006
    Posts
    113

    Default

    Is autopwn included with BT3?


    Nvm, didnt realize it was part of Fast Track
    I hate Google.

  5. #15
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I've been further thinking of this,

    if we did somehow manage to dump the wpa hash from the registry we would still need to decrypt it, in windows you can use cain, but even so that takes a long time too.


    so unless the user is prompted to give us the wpa key I don't think it is going to work.

    POC... Create fake ap, user connects to fake ap, evilgrade, upload msf payload, connect back to pc, this should work, but then what? we still have the problem of obtaining the wpa key

  6. #16
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    If the wpa keys are stored in the regisrty encrypted or not, it will still need a key in the regisrty or in some place to decode it for the wireless connection.

    I'm guessing but it would proable be something like the accountid, and md5

  7. #17
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    a bit more progress,

    we can use this tool http://www.nirsoft.net/utils/wireless_key.html, upload it and execute via command line, can save all keys to a text file

    gives all keys in hex.

  8. #18
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    very well explained dude, cheerz for that

    we would still need the final stage of getting a msf payload onto our victim if it's a fully patched system,

    drive by downloads are an option but need a way to bypass AV's with these

  9. #19
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I've been looking into evilgrade and one of our options maybe to have a page that displays JAVA but then says it needs to be updated and have an update link embedded within it --- I know we can deliver payload by directly forcing them to download an exe but that would be too suspicious, instead we let them think it's a real upgrade.

    I've also been looking into one time redirection only, we don't want our victim to be constantly viewing the same page, we want them to type any address in, get redirected to the "portal" and then be able to surf happily.

    Something similar to nocatsplash, - this seems interesting http://www.cs.usfca.edu/~afedosov/netgreg/

  10. #20
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    1

    Default

    Ok, This thread is exactly what I am trying to do myself. I just have a few problems that I need to solve.

    What I have working: Evil Ap, Aireplay is doing a massive DDOS to the victims AP, All clients are not associated and are probing the ESSID.

    Ok, so the basics is done

    Now I need to get the DHCP server up and running to assign ip address's to the clients.

    I downloaded dhcp-3.0.7 from the ISC site, but I am having problems installing it. Not sure if its compatible with Backtrack3. Any ideas here? This is the error is piping to me
    Code:
    bt dhcp-3.0.7 # ./configure
    System Type: linux-2.2
    make[1]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2'
    make[1]: Warning: File `Makefile' has modification time 1.4e+04 s in the future
    Making links in common
    make[2]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common'
    make[2]: Warning: File `Makefile' has modification time 1.4e+04 s in the future
    ln: creating symbolic link `raw.c': Operation not supported
    ln: creating symbolic link `parse.c': Operation not supported
    ln: creating symbolic link `nit.c': Operation not supported
    THIS GOES ON FOR A PAGE
    
    ln: creating symbolic link `dhcp-eval.5': Operation not supported
    make[2]: *** [links] Error 1
    make[2]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common'
    make[1]: *** [links] Error 1
    make[1]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2'
    make: *** [links] Error 2
    After this I just wanted to see if it would >make and this is that error
    Code:
    bt dhcp-3.0.7 # make
    make[1]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2'
    make[1]: Warning: File `Makefile' has modification time 1.4e+04 s in the future
    Making all in common
    make[2]: Entering directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common'
    make[2]: Warning: File `Makefile' has modification time 1.4e+04 s in the future
    make[2]: *** No rule to make target `raw.o', needed by `libdhcp.a'.  Stop.
    make[2]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2/common'
    make[1]: *** [all] Error 1
    make[1]: Leaving directory `/tmp/cap/dhcp-3.0.7/work.linux-2.2'
    make: *** [all] Error 2
    So this is where I am stuck at. Any help would be greatly appreciated.

    Also I would like to add. I think this is one of the best ways of attacking WPA/WPA2 networks. Bruteforcing just does not work very well with all the possible keys you can have unless you put the key in your dictionary file.

    I would love to see an in-depth tutorial on this subject. That would be purely awesome.

Page 2 of 6 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •