Originally Posted by m3thical
Use at your own risk.Code:#Telnet mtd-erase -d nvram
or
Code:#Telnet cd /tmp/ #Look for .conf file cat ath0_hostap.conf
Network with MAC filtering, WPA-PSK, and AD...
Ok, so my friend and I managed to lock down the network pretty well with hopes of a more difficult challenge (having succeeded multiple times with WEP and WPA-PSK cracking).
I setup a Server (running server 03) with AD enabled for my machines. I turned on MAC address filtering on my crappy linksys router, with WPA-PSK encryption. However, I had my friend enter the password. I know the password is horribly complex (as the fellow is my IT partner) so a dictionary attack is out of the question. MAC address filtering is easy to get by. I had him also change the login and pass to the router.
Are my only options telnet under an anonymous account?
Or, for the windows side of things, is the saved WPA password associated with the AP in some sort of file that can be A: analyzed or B: decrypted (if encrypted)?
Any suggestions, or leads on a path to search down?
Use at your own risk.Code:#Telnet mtd-erase -d nvram
or
Code:#Telnet cd /tmp/ #Look for .conf file cat ath0_hostap.conf
Μολὼν λαβέ - Great spirits encounter heavy opposition from mediocre minds.
#Telnet
mtd-erase -d nvram
Use at your own risk.Blatant and noisy, but I suppose it will work...
I'll try the latter first. I want to be as quiet as possible, not that it really matters. Hell I could reset the router manually, but I want to learn about security, not just execute code.
Thanks for the reply though!
I wonder if WZCook would work?
http://www.freewarereview.info/2007-..._wpa_psks.html
Wow, that looks exactly like what I was thinking of. I will try that out, thanks!
My current struggle is finding the external IP for the router without being associated with it. Capturing data promiscuously does not give me much, even when I generate traffic with the laptop I am on now. (I could use this laptop to get it, as i am associated with the AP I am trying to crack, but thats no fun is it?). Again, if anyone has any ideas, or if someone can point me in the direction of some information, that would be spectacular.
well you will be able to get the ip wirelessly
like that :
you need to chopchop a wireless arp packet, the chopchop process will decrypt ips so you just have to open the dec packet in wireshark or simply in tcpdump to get the ips in human readable format
to limit your capture to wireless arps use this switch
aireplay-ng -F --chopchop -m 68 -n 68 -b APMAC -h CLIENTMAC CARD
will save 2 packet a replay_srcxxxx.cap & replay_decyyyy.cap
open the replay_dec one
that's the way we get ips for set up an arp amplification attack where we need both ips , the ap one & client one
hope helps
Watch your back, your packetz will belong to me soon... xD
BackTrack : Giving Machine Guns to Monkeys since 2006
Thanks for the reply. I tried the chopchop attack but just get stuck with my card reading packets, so I tried a few different variations but I am still only able to read the packets, and those 2 files are not being written. I let the packet count reach 160,000 and still nothing. Tried deauthing the clients, fake authenitcated and still no files are being written to my root directory.aireplay-ng -F --chopchop -m 68 -n 68 -b APMAC -h CLIENTMAC CARD
will save 2 packet a replay_srcxxxx.cap & replay_decyyyy.cap
Posting Permissions